10341000x8000000000000000515590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.419{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000515589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.419{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.404{5C0BDE06-1A79-634D-1500-000000008502}1036\Winsock2\CatalogChangeListener-40c-0C:\Windows\system32\svchost.exe 10341000x8000000000000000515582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.388{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000515565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.388{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x8000000000000000515546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareBinary Data 12241200x8000000000000000515545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareCount 12241200x8000000000000000515544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardware 11241100x8000000000000000515543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17T10532022-10-17 09:03:53.341{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000515542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.341{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.341{5C0BDE06-1A79-634D-1500-000000008502}1036\atsvcC:\Windows\system32\svchost.exe 10341000x8000000000000000515537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.310{5C0BDE06-1A78-634D-1000-000000008502}960\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x8000000000000000515532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.310{5C0BDE06-1A78-634D-1000-000000008502}960\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x8000000000000000515531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.263{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.263{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x8000000000000000515510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x8000000000000000515509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000515508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000515507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000515506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000515505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000515504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000515503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000515502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseTerminatesTimeDWORD (0x634d2889) 13241300x8000000000000000515501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T2DWORD (0x634d26c7) 13241300x8000000000000000515500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T1DWORD (0x634d2181) 13241300x8000000000000000515499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseObtainedTimeDWORD (0x634d1a79) 13241300x8000000000000000515498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000515497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpServer10.0.1.1 13241300x8000000000000000515496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000515495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpIPAddress10.0.1.15 13241300x8000000000000000515494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000515493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMaskOptBinary Data 13241300x8000000000000000515492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDefaultGatewayBinary Data 13241300x8000000000000000515491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpNameServer10.0.0.2 13241300x8000000000000000515490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x8000000000000000515489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000515488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000515487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomainus-east-2.compute.internal 10341000x8000000000000000515486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000515481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000515469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000515466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000515465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000515464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000515463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x8000000000000000515462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T2DWORD (0x00000000) 13241300x8000000000000000515461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T1DWORD (0x00000000) 13241300x8000000000000000515460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseObtainedTimeDWORD (0x00000000) 13241300x8000000000000000515459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseDWORD (0x00000000) 13241300x8000000000000000515458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpServer255.255.255.255 13241300x8000000000000000515457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMask255.0.0.0 13241300x8000000000000000515456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpIPAddress0.0.0.0 13241300x8000000000000000515455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\Dhcpv6StateDWORD (0x00000001) 12241200x8000000000000000515454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpInterfaceOptions 12241200x8000000000000000515453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDefaultGateway 12241200x8000000000000000515452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMaskOpt 12241200x8000000000000000515451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDomain 12241200x8000000000000000515450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x8000000000000000515449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpNameServer 12241200x8000000000000000515448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x8000000000000000515447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\Dhcpv6StateDWORD (0x00000000) 13241300x8000000000000000515446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000515442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000515438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.091{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0A00-000000008502}640740C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{5C0BDE06-1A78-634D-E503-000000000000}0x3e50SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0A00-000000008502}640704C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.997{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x8000000000000000515402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.982{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.982{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.919{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.919{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.904{5C0BDE06-1A78-634D-0E00-000000008502}904448C:\Windows\system32\LogonUI.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.888{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.888{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0A00-000000008502}640732C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0A00-000000008502}640740C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.843{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5C0BDE06-1A78-634D-E403-000000000000}0x3e40SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744952C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744952C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.825{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0800-000000008502}512528C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0900-000000008502}588892C:\Windows\system32\winlogon.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.818{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{5C0BDE06-1A78-634D-FDB5-000000000000}0xb5fd1SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000515368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0800-000000008502}512616C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0900-000000008502}588592C:\Windows\system32\winlogon.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.817{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3be8055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000515365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.669{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000515345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.669{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000515344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46838|c:\windows\system32\rpcss.dll+7593|c:\windows\system32\rpcss.dll+74fe|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.622{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.607{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.607{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.576{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.529{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.529{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.388{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.381{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17T1101SetValue2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008) 10341000x8000000000000000515320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.044{5C0BDE06-1A77-634D-0B00-000000008502}648652C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+5ac9c|C:\Windows\system32\lsasrv.dll+63e8f|C:\Windows\system32\lsasrv.dll+6f44e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+46b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.955{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000515315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.904{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.904{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.902{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000515312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.810{5C0BDE06-1A77-634D-0600-000000008502}496500C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.807{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe- 10341000x8000000000000000515310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.794{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.747{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-host-ctus-attack-range-17 10341000x8000000000000000515308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A77-634D-0400-000000008502}416420C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.739{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000515306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A77-634D-0600-000000008502}496500C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.744{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe- 10341000x8000000000000000515304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.735{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000515301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x6059456b) 13241300x8000000000000000515299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000515298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000515297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x8000000000000000515294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.576{5C0BDE06-1A77-634D-0400-000000008502}416420C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.577{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000515292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.466{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}416C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.466{5C0BDE06-1A74-634D-0200-000000008502}320412C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}416C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.475{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000515289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.138{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000515288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:49.138{5C0BDE06-1A74-634D-0200-000000008502}320324C:\Windows\System32\smss.exe{5C0BDE06-1A75-634D-0300-000000008502}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:49.134{5C0BDE06-1A75-634D-0300-000000008502}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000515286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000515277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb5a92d) 13241300x8000000000000000515272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb5a92d) 13241300x8000000000000000515271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.895{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb446cf) 13241300x8000000000000000515270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x8000000000000000515269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x8000000000000000515268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x8000000000000000515267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x8000000000000000515266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x8000000000000000515265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e8f8374) 13241300x8000000000000000515264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e8f8374) 13241300x8000000000000000515263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000515260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.576{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000515258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.560{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000515257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMinorVersionDWORD (0x00000037) 13241300x8000000000000000515249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000515247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000515243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.341{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000515241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{89bc14aa-3f37-11ed-abb2-806e6f6e6963}#0000000000100000 13241300x8000000000000000515238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{89bc14aa-3f37-11ed-abb2-806e6f6e6963}#0000000000100000 434400x8000000000000000515235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-172022-10-17 09:03:54.627Started13.014.50 10341000x8000000000000000516351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.777{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.776{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.774{5C0BDE06-1A7B-634D-3A00-000000008502}29362840C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x8000000000000000516338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.770{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.766{5C0BDE06-1A7B-634D-3900-000000008502}29002892C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x8000000000000000516325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.763{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.762{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.762{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11e04|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.728{5C0BDE06-1A7B-634D-3800-000000008502}15121204C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000516311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.499{5C0BDE06-1A79-634D-1E00-000000008502}1940\aurora-agent-pprofC:\Program Files\Aurora-Agent\aurora-agent.exe 17141700x8000000000000000516310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.499{5C0BDE06-1A79-634D-1E00-000000008502}1940\aurora-agent-statusC:\Program Files\Aurora-Agent\aurora-agent.exe 13241300x8000000000000000516309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 13241300x8000000000000000516308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000516307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\CustomSourceDWORD (0x00000001) 12241200x8000000000000000516306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteKey2022-10-17 09:03:55.487{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent 17141700x8000000000000000516305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.486{5C0BDE06-1A77-634D-0A00-000000008502}640\Winsock2\CatalogChangeListener-280-0C:\Windows\system32\services.exe 10341000x8000000000000000516304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.482{5C0BDE06-1A77-634D-0A00-000000008502}6401816C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000516303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.482{5C0BDE06-1A79-634D-1E00-000000008502}1940NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent.exeC:\Program Files\Aurora-Agent\service-startup.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-3700-000000008502}27602792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.453{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000516289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-3600-000000008502}20361260C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.446{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000516276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a87|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.439{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.427{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.397{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000516260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.375{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.360{5C0BDE06-1A7B-634D-3500-000000008502}30523056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.360{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.325{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.325{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.214{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.111{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.074{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.074{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A7B-634D-3400-000000008502}30323036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x8000000000000000516119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.066{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3300-000000008502}30163020C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.063{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x8000000000000000516115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a26|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.056{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3100-000000008502}29842988C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3200-000000008502}3008C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c sc.exe qc npcap 10341000x8000000000000000516080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.044{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.044{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.041{5C0BDE06-1A79-634D-1900-000000008502}17881792C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.041{5C0BDE06-1A7B-634D-2F00-000000008502}29642968C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c sc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 154100x8000000000000000516064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.036{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.035{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe508|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.035{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.018{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.018{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A7A-634D-2C00-000000008502}28602892C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A7A-634D-2A00-000000008502}28442848C:\Windows\system32\cmd.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.985{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x8000000000000000516014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.960{5C0BDE06-1A7A-634D-2C00-000000008502}28602892C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A7A-634D-2800-000000008502}28122816C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.946{5C0BDE06-1A7A-634D-2B00-000000008502}2852C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEfind "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000516008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A79-634D-1F00-000000008502}19681972C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11ad65|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2900-000000008502}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{00000000-0000-0000-0000-000000000000}28122816C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.893{5C0BDE06-1A7A-634D-2900-000000008502}2824C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKLM\Software\WOW6432Node\Npcap" /ve C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000515992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A7A-634D-2700-000000008502}26042664C:\Windows\system32\wbem\wmiprvse.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\combase.dll+abdc2|C:\Windows\System32\combase.dll+acaee|C:\Windows\System32\combase.dll+ac8ff|C:\Windows\System32\combase.dll+2f278|C:\Windows\System32\combase.dll+2ee90|C:\Windows\System32\combase.dll+3be54|C:\Windows\System32\combase.dll+c2964|C:\Windows\System32\combase.dll+38f11|C:\Windows\System32\combase.dll+3a860|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000515990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A79-634D-1900-000000008502}17881792C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.885{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000515987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.690{5C0BDE06-1A79-634D-1500-000000008502}1036\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x8000000000000000515869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.659{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.659{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A79-634D-1500-000000008502}10362540C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1033a|C:\Windows\system32\wbem\wbemcore.dll+2d14f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.612{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.612{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.596{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.589{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000515855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0A00-000000008502}6401816C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.615{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000515852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000515848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.532{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x8000000000000000515844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.506{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.506{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.499{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.494{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000515769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.492{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2022-10-17 09:03:54.492 10341000x8000000000000000515768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c10) 10341000x8000000000000000515738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000515724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361328C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361112C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361328C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361112C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.393{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.393{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A79-634D-1400-000000008502}10281724C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000515712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.385{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c0f) 10341000x8000000000000000515709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.382{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3457|C:\Windows\SYSTEM32\samsrv.dll+337c|C:\Windows\SYSTEM32\samsrv.dll+32fe|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3605|C:\Windows\SYSTEM32\samsrv.dll+35a3|C:\Windows\SYSTEM32\samsrv.dll+33c6|C:\Windows\SYSTEM32\samsrv.dll+32eb|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\samsrv.dll+3e49|C:\Windows\SYSTEM32\samsrv.dll+3c53|C:\Windows\SYSTEM32\samsrv.dll+32bf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.363{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x8000000000000000515703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.355{5C0BDE06-1A7A-634D-2400-000000008502}23322364C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.353{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x8000000000000000515701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.346{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.340{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.340{5C0BDE06-1A79-634D-1500-000000008502}10361736C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.333{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.332{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.327{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.327{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.325{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.323{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.323{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.318{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.318{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.292{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.278{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.275{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.270{5C0BDE06-1A79-634D-1500-000000008502}10361132C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.257{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.256{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.239{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.238{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.233{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.221{5C0BDE06-1A79-634D-1400-000000008502}10281660C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000515675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.219{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.200{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.130{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.129{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x8000000000000000515671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:54.129{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x8000000000000000515670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.123{5C0BDE06-1A77-634D-0A00-000000008502}6401852C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.121{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.119{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.094{5C0BDE06-1A79-634D-1800-000000008502}1756\Winsock2\CatalogChangeListener-6dc-0C:\Windows\System32\spoolsv.exe 10341000x8000000000000000515666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.075{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.075{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.060{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.060{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.029{5C0BDE06-1A79-634D-1400-000000008502}1028\W32TIME_ALTC:\Windows\system32\svchost.exe 10341000x8000000000000000515661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.982{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.982{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.579{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe1.0.7Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=49DECA39E47E2CE4763AE97A807DD163,SHA256=3E6E4FB3B2A2C093D0C235736A7C31CD7EBE3EF9D15BE0602FC8CBBCAF0DA3D0,IMPHASH=6E0C98C468B7CCA0B81F6A50A530DE09{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.966{5C0BDE06-1A77-634D-0A00-000000008502}6401828C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.951{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.951{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.904{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.904{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.884{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.857{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000515638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.857{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.732{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.732{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.535{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C54EE7993912F12A990D27C9BF8894C8,SHA256=AC1B7CBE413C5246B9A681CB975FF231204A740800A5555833B3E62952683157,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.700{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.700{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.552{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.654{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.607{5C0BDE06-1A78-634D-1200-000000008502}1020\trkwksC:\Windows\System32\svchost.exe 10341000x8000000000000000515624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.607{5C0BDE06-1A77-634D-0A00-000000008502}6401044C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.607{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x8000000000000000515622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.575{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.575{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.534{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.529{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x00000285) 10341000x8000000000000000515609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.513{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A79-634D-1500-000000008502}10361132C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.466{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.466{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.464{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe10.0.14393.5356 (rs1_release.220906-1211)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=48B18DEA6BDDC1A22AD9EF16CE63A0A4,SHA256=E295AE0FC0EE67320590D8A49BC16054ACCB6E7BAF05DB531D10B0D6DB81A21C,IMPHASH=BDE05BF1A813EB07FFA212837CB0F528{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{BDB2D21F-838F-4EFA-9114-62C795BE4367}\DateLastConnectedBinary Data 13241300x8000000000000000515592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 17141700x8000000000000000515591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1500-000000008502}1036\SessEnvPublicRpcC:\Windows\system32\svchost.exe 354300x8000000000000000516491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.926{5C0BDE06-1A74-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal137netbios-ns 354300x8000000000000000516490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.926{5C0BDE06-1A74-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000516489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.688{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:89bc:fcc:ffff-50205-truea00:10e:0:0:0:0:0:0-53domain 10341000x8000000000000000516488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.797{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+3462b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+153d1|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.762{5C0BDE06-1A7C-634D-4500-000000008502}30642840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000516474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:56.553{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000054c) 10341000x8000000000000000516473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.482{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15392|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.467{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A7C-634D-4300-000000008502}29362860C:\Windows\system32\cmd.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x8000000000000000516447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.457{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11389a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.414{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.396{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.396{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.384{5C0BDE06-1A7C-634D-4000-000000008502}17881108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.356{5C0BDE06-1A79-634D-1500-000000008502}10362540C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.344{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.331{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.327{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.210{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.210{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.206{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.186{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.183{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.183{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000516406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.174{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000516405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.100{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.093{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.092{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.091{5C0BDE06-1A7C-634D-3E00-000000008502}28042784C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.092{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list watchdog --no-log 10341000x8000000000000000516391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.091{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.089{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.089{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.087{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A79-634D-1C00-000000008502}18802212C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+64d7e 154100x8000000000000000516378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.889{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2680C09DDBD3B36FB9E1CA1BCC5CDCD6,SHA256=39896033C6C4FB84827E4CD1264241759BB38FC25C8CE110CF84D59C25517491,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x8000000000000000516377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.084{5C0BDE06-1A7C-634D-3D00-000000008502}29882984C:\Windows\system32\cmd.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-log 10341000x8000000000000000516365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.081{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.080{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.080{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.078{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11f3c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.051{5C0BDE06-1A7B-634D-3B00-000000008502}28242888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.995{5C0BDE06-1A7D-634D-4A00-000000008502}29882984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000516552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.170{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49677-false169.254.169.254-80http 354300x8000000000000000516551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.169{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49676-false169.254.169.254-80http 354300x8000000000000000516550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.167{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49675-false169.254.169.254-80http 354300x8000000000000000516549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.166{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49674-false169.254.169.254-80http 354300x8000000000000000516548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.162{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49673-false169.254.169.254-80http 354300x8000000000000000516547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.161{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49672-false169.254.169.254-80http 10341000x8000000000000000516546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.647{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A7D-634D-4900-000000008502}16082996C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x8000000000000000516533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.636{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.636{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154e7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.443{5C0BDE06-1A7D-634D-4800-000000008502}11082764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.146{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.142{5C0BDE06-1A7D-634D-4700-000000008502}28042808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.142{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x8000000000000000516506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.137{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.134{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154b3|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.083{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.078{5C0BDE06-1A7C-634D-4600-000000008502}29842988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000516716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.219{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1d86:8688:3088:5b16win-host-ctus-attack-range-17.us-east-2.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000516715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.893{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.891{5C0BDE06-1A7E-634D-4F00-000000008502}28082784C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.891{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x8000000000000000516702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.886{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A7E-634D-4E00-000000008502}11082764C:\Windows\system32\cmd.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x8000000000000000516689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.867{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.866{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.866{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.864{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.864{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15625|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x8000000000000000516676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.789{5C0BDE06-1A7E-634D-4D00-000000008502}2988NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.731{5C0BDE06-1A7E-634D-4D00-000000008502}29881612C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1325115|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.436{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.435{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.429{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.429{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1557b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.430{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.364{5C0BDE06-1A7E-634D-4C00-000000008502}27642840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.050{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.049{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.049{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.047{5C0BDE06-1A7E-634D-4B00-000000008502}19921792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.047{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x8000000000000000516566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.043{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1551b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.929{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000516785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.680{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.604{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.603{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.603{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.601{5C0BDE06-1A7F-634D-5400-000000008502}27641108C:\Windows\system32\cmd.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x8000000000000000516771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.598{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.594{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1138cf|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000516758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.593{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=187E33D9B56F557FBE6F5D6435CCBD30,SHA256=CCE27D14D09DE791EB046BADB606438CBD915F60507810471DE5FC7D75790BE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.553{5C0BDE06-1A7F-634D-5300-000000008502}29841992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.270{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.267{5C0BDE06-1A7F-634D-5200-000000008502}30002996C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000516743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.263{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.259{5C0BDE06-1A7F-634D-5100-000000008502}16122988C:\Windows\system32\cmd.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000516730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.256{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.249{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+156ca|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.250{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.220{5C0BDE06-1A7E-634D-5000-000000008502}28403064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.989{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.914{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.891{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.832{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.796{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.775{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.763{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.716{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.682{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.671{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.589{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.560{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.542{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.507{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.454{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.454{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5B00-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.449{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.449{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.450{5C0BDE06-1A80-634D-5B00-000000008502}1984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.413{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.349{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.243{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.240{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.240{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.139{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.035{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.984{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.934{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.889{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.844{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.808{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.999{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.717{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.681{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.610{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.564{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.493{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.458{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.412{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.380{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.310{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.269{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.223{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.070{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.030{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.968{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.913{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.868{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.749{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.689{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.630{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.587{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.540{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.495{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.437{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.392{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000516971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:02.379{5C0BDE06-1A77-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-0C:\Windows\system32\lsass.exe 10341000x8000000000000000516970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.335{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.077{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.021{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.954{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.954{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.872{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.870{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.870{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.814{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.813{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.813{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.806{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.805{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.805{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.798{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.798{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.797{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.749{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.749{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.748{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.703{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.702{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.702{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.533{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.486{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.411{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.370{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.295{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.207{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.163{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.113{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.070{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.026{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.080{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.077{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.077{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.837{5C0BDE06-1A85-634D-6200-000000008502}32883292C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+5fc32|C:\Windows\System32\KERNELBASE.dll+5f7c6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+4b8b6b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+1fe749|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201333|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+c41921|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.810{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe1.55Npcap OEM 1.55 installerNpcap OEM--/winpcap_mode=no /no_kill=yes /SC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=0FE4958B3C68EF3822F99F158FEA850C,SHA256=1F035C0498863B41B64DF87099EC20F80C6DB26B12D27B5AFEF1C1AD3FA28690,IMPHASH=DFB595641ED97366338A474595C7BE08{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" 10341000x8000000000000000517141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.805{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.675{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.674{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.674{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.667{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.666{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.666{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.485{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000517114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bdb2d21f-838f-4efa-9114-62c795be4367}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000517113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bdb2d21f-838f-4efa-9114-62c795be4367}\LastProbeTimeDWORD (0x634d1a85) 10341000x8000000000000000517112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.383{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.382{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.382{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.375{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.186{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=91261DAE701C5D2F316493FA46443AB6,SHA256=0478C1FD9B7A8B856396889776A603CA1AB393142563A9F8839FCE35A0CC4BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.182{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=8507ED253CBB324479714FAB6078930E,SHA256=DCD2E99AE97541686E94617FF449008D85C062BAB3EF3EEDBF87DA1A6C7FF583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.178{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=C77298FBE7F3A33235B80B3FCC293549,SHA256=AD0E00300857BBF6171F19E1FE483390BC91ACE0E4E8478C8123BFD897E6B674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.706{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.706{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.695{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.694{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.694{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.686{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.686{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.656{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.654{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.654{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.639{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.639{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.637{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.637{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.593{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.584{5C0BDE06-1A85-634D-6200-000000008502}32883376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+20199b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a72093|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.577{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\System.dllMD5=F020A8D9EDE1FB2AF3651AD6E0AC9CB1,SHA256=7EFE73A8D32ED1B01727AD4579E9EEC49C9309F2CB7BF03C8AFA80D70242D1C0,IMPHASH=FC0224E99E736751432961DB63A41B76truetrue 10341000x8000000000000000517172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.574{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.573{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\options.iniMD5=D5B270807BD5E8E117DB66010FD51AFA,SHA256=5A5E297948D13919E4432A5F7544DA14DE5ACCBE6D228F32162669148853EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.570{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\InstallOptions.dllMD5=170C17AC80215D0A377B42557252AE10,SHA256=61EA114D9D0CD1E884535095AA3527A6C28DF55A4ECEE733C8C398F50B84CC3D,IMPHASH=4B45B7E00344A87332FBD12653854D1Atruetrue 23542300x8000000000000000517169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.568{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\final.iniMD5=CAE757421DB8D011E41266BFD9439885,SHA256=FF350A68202AADB145F590C8579F9284D2E3C324B0369FDE39E5A3A31D7B8204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.564{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B04.tmpMD5=E885C9B9629ECE93849C22D33B660A41,SHA256=DFCC6C69907CCFB159D25532905C5C55CA8592FDF30E136E0C1F836467880769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.539{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.539{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.348{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.2.5Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=6C9AC5FDD1CC3DE4B5CE3554BB97C44D,SHA256=0A50534D41D6E6CB8CF82D11B50318C26429D606EF43C9B9DC10C9098B87DE77,IMPHASH=B93C7B1A01AE4E8C3FA69FD9F2A758E7{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000517155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17DLL2022-10-17 09:04:06.526{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\System.dll2022-10-17 09:04:06.526 11241100x8000000000000000517154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17DLL2022-10-17 09:04:06.502{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\InstallOptions.dll2022-10-17 09:04:06.502 10341000x8000000000000000517270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.772{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.772{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.383{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.375{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.370{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.370{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.125{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000517247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.794{5C0BDE06-1A85-634D-6200-000000008502}3288win-host-ctus-attack-range-170fe80::1d86:8688:3088:5b16;::ffff:10.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 22542200x8000000000000000517246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.463{5C0BDE06-1A79-634D-1600-000000008502}1220us-east-2.compute.internal1223-C:\Windows\System32\svchost.exe 22542200x8000000000000000517245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220bfozjxnakhan1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.429{5C0BDE06-1A79-634D-1400-000000008502}1028wpad1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.429{5C0BDE06-1A79-634D-1600-000000008502}1220www.msftconnecttest.com1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.375{5C0BDE06-1A79-634D-1600-000000008502}1220_ldap._tcp.dc._msdcs.us-east-2.compute.internal.1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.595{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.595{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.510{5C0BDE06-1A88-634D-6600-000000008502}34483452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.296{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.062{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.155{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.155{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.154{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.154{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 13241300x8000000000000000517312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:09.484{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 22542200x8000000000000000517311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.155{5C0BDE06-1A79-634D-2100-000000008502}892WIN-HOST-CTUS-A0::ffff:10.0.1.15;C:\Windows\System32\svchost.exe 22542200x8000000000000000517310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.572{5C0BDE06-1A79-634D-1500-000000008502}1036isatap.us-east-2.compute.internal1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.901{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000517296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.335{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:89bc:fcc:ffff-53858-truee000:fc:fcc:ffff:357:d8aa:3f8:ffff-5355llmnr 354300x8000000000000000517295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.335{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:1d86:8688:3088:5b16win-host-ctus-attack-range-17.us-east-2.compute.internal53858-trueff02:0:0:0:0:0:1:3-5355llmnr 10341000x8000000000000000517354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.982{5C0BDE06-1A8A-634D-6A00-000000008502}35683572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.567{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.576{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.339{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.338{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.331{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 22542200x8000000000000000517326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.852{5C0BDE06-1A85-634D-6200-000000008502}3288win-host-ctus-attack-range-17010.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x8000000000000000517325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.007{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.003{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.003{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.762{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.2.5Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=93E4AABDB4C09791F34C1FB96FFB7B34,SHA256=E04D140844ABB2D8C81C9FDC12A1D731CAEE3025C5A723F0358E74A49232797E,IMPHASH=745B5ABFE8841B7D74AD07D845F0D330{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.591{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.580{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.549{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.549{A78D3DEB-1A79-634D-0A00-000000008502}6402528C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.834{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000745015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.375{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.375{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.297{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.244{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:10.243{A78D3DEB-1A7C-634D-1600-000000008502}1236\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x8000000000000000744886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.243{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.228{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.227{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.212{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F43B67F8FB870A731294662603690C2F,SHA256=9707255C9778F9A8135BAA4F1A16FAC9EBF2991FD6AF937B232D5FA52D14AC33,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.214{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.214{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.213{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.213{A78D3DEB-1A79-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.921{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe1.0.7Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=49DECA39E47E2CE4763AE97A807DD163,SHA256=3E6E4FB3B2A2C093D0C235736A7C31CD7EBE3EF9D15BE0602FC8CBBCAF0DA3D0,IMPHASH=6E0C98C468B7CCA0B81F6A50A530DE09{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.192{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.174{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.174{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.173{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=B344B812DD6C294360563E52B2EF1C13,SHA256=0A4CA31848D7513F97F72D0292F5BBEE1CA409AAFFCACDE5369E12003B34118D,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000744865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.164{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.149{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.076{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.076{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.854{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C54EE7993912F12A990D27C9BF8894C8,SHA256=AC1B7CBE413C5246B9A681CB975FF231204A740800A5555833B3E62952683157,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.060{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.029{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.029{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.035{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000744856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.013{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A79-634D-0A00-000000008502}640724C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A7C-634D-1200-000000008502}4482216C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:09.967{A78D3DEB-1A89-634D-2F00-000000008502}2812\netdfsC:\Windows\system32\dfssvc.exe 10341000x8000000000000000744848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.828{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exe10.0.14393.4169 (rs1_release.210107-1130)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F2483716D6C752FB448C7295AA3B49A1,SHA256=6B77249159D3C217694B52F0B1C75E0649486EF4A3FE4513CD41D81E7DEB709A,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 154100x8000000000000000744837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.902{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\System32\dfssvc.exe10.0.14393.4825 (rs1_release.211202-1611)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=D1EFE6799897721D4FA45438D8215321,SHA256=8897D358D289BE6CE7D67922E5A713A997A5317C74C44935C212898AE498F516,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.904{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.904{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.844{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0A00-000000008502}640724C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.847{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exe10.0.14393.5356 (rs1_release.220906-1211)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8E57D858F7ECCAAEB80D348BD4C14434,SHA256=830DB8427582E91CB6A903D695F5D49CF6168470A8FDF3B886BED8940D4F39AB,IMPHASH=A9372A5933F0A34E60D75696B5C69952{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.857{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:09.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:09.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.857{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.828{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.816{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0A00-000000008502}6402540C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0A00-000000008502}640732C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.813{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:09.795{A78D3DEB-1A89-634D-2500-000000008502}2488\Winsock2\CatalogChangeListener-9b8-0C:\Windows\System32\spoolsv.exe 10341000x8000000000000000744773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.763{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.748{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.748{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.739{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe10.0.14393.5356 (rs1_release.220906-1211)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=48B18DEA6BDDC1A22AD9EF16CE63A0A4,SHA256=E295AE0FC0EE67320590D8A49BC16054ACCB6E7BAF05DB531D10B0D6DB81A21C,IMPHASH=BDE05BF1A813EB07FFA212837CB0F528{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.685{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:07.232{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:07.232{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.701{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:05.611{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x8000000000000000744742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:04:05.611{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x8000000000000000744741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.611{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.611{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.583{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0D00-000000008502}908\RpcProxy\593C:\Windows\system32\svchost.exe 13241300x8000000000000000744730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 17141700x8000000000000000744729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.560{A78D3DEB-1A79-634D-0B00-000000008502}648\5f2963b50b66aa0fC:\Windows\system32\lsass.exe 17141700x8000000000000000744728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.560{A78D3DEB-1A79-634D-0B00-000000008502}648\RpcProxy\49669C:\Windows\system32\lsass.exe 10341000x8000000000000000744727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:04.513{A78D3DEB-1A7C-634D-1200-000000008502}4481048C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:04.498{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000000) 13241300x8000000000000000744724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000744723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000744722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\FlagsDWORD (0x00000000) 13241300x8000000000000000744721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\TtlDWORD (0x000004b0) 13241300x8000000000000000744720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentPriUpdateToIpBinary Data 13241300x8000000000000000744719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentUpdateToIpBinary Data 13241300x8000000000000000744718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\DnsServersBinary Data 13241300x8000000000000000744717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\HostAddrsBinary Data 13241300x8000000000000000744716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\PrimaryDomainNameattackrange.local 13241300x8000000000000000744715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\AdapterDomainName(Empty) 13241300x8000000000000000744714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\Hostnamewin-dc-ctus-attack-range-801 10341000x8000000000000000744713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:00.341{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000558) 10341000x8000000000000000744700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.701{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x8000000000000000744687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{cdbf2ad9-d9df-495a-8b70-d479c6e12b96}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000744677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{cdbf2ad9-d9df-495a-8b70-d479c6e12b96}\LastProbeTimeDWORD (0x634d1a7f) 13241300x8000000000000000744676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{CDBF2AD9-D9DF-495A-8B70-D479C6E12B96}\DateLastConnectedBinary Data 10341000x8000000000000000744675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000744669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.388{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000557) 13241300x8000000000000000744668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x8000000000000000744667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareBinary Data 12241200x8000000000000000744666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareCount 12241200x8000000000000000744665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardware 13241300x8000000000000000744664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000744663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000000) 13241300x8000000000000000744662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 10341000x8000000000000000744661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.404{A78D3DEB-1A7D-634D-2200-000000008502}22322252C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{00000000-0000-0000-0000-000000000000}21962200C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.386{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{A78D3DEB-1A7D-634D-1F00-000000008502}2196C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c sc.exe qc npcap 10341000x8000000000000000744651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A7C-634D-1800-000000008502}19801984C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.379{A78D3DEB-1A7D-634D-1F00-000000008502}2196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c sc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000744647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7D-634D-1C00-000000008502}21482152C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.329{A78D3DEB-1A7D-634D-1E00-000000008502}2172C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEfind "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000744643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-1D00-000000008502}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{00000000-0000-0000-0000-000000000000}21482152C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.307{A78D3DEB-1A7D-634D-1D00-000000008502}2160C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKLM\Software\WOW6432Node\Npcap" /ve C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000744639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A7C-634D-1800-000000008502}19801984C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.299{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000744635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.029{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.029{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x8000000000000000744626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c54) 10341000x8000000000000000744622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.904{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x8000000000000000744605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000744604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000744602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2022-10-17 09:03:56.888 10341000x8000000000000000744601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A79-634D-0A00-000000008502}640104C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.873{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c53) 10341000x8000000000000000744597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.857{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x8000000000000000744594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.826{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1A00-000000008502}2016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.795{A78D3DEB-1A7C-634D-1200-000000008502}4481580C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.779{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.779{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.732{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.732{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.638{A78D3DEB-1A7C-634D-1600-000000008502}1236\Winsock2\CatalogChangeListener-4d4-0C:\Windows\system32\svchost.exe 17141700x8000000000000000744563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.638{A78D3DEB-1A7C-634D-1600-000000008502}1236\SessEnvPublicRpcC:\Windows\system32\svchost.exe 10341000x8000000000000000744562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.638{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000744558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT10532022-10-17 09:03:56.513{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000744557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.513{A78D3DEB-1A7C-634D-1600-000000008502}1236\atsvcC:\Windows\system32\svchost.exe 10341000x8000000000000000744553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.482{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x8000000000000000744550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.451{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.451{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.435{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x00000285) 10341000x8000000000000000744547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.435{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.435{A78D3DEB-1A7C-634D-0F00-000000008502}300\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x8000000000000000744545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.435{A78D3DEB-1A7C-634D-0F00-000000008502}300\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x8000000000000000744544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-1C:\Windows\system32\lsass.exe 10341000x8000000000000000744541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-0C:\Windows\system32\lsass.exe 10341000x8000000000000000744539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.404{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.404{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x8000000000000000744531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x8000000000000000744530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000744529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 10341000x8000000000000000744527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000744525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000744524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.357{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000744485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000744479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000744473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.248{A78D3DEB-1A7C-634D-1100-000000008502}380\Winsock2\CatalogChangeListener-17c-0C:\Windows\System32\svchost.exe 17141700x8000000000000000744468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.248{A78D3DEB-1A7C-634D-1100-000000008502}380\eventlogC:\Windows\System32\svchost.exe 10341000x8000000000000000744467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.185{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 13241300x8000000000000000744438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000744437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000744436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000744435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseTerminatesTimeDWORD (0x634d288c) 13241300x8000000000000000744434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T2DWORD (0x634d26ca) 13241300x8000000000000000744433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T1DWORD (0x634d2184) 13241300x8000000000000000744432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseObtainedTimeDWORD (0x634d1a7c) 13241300x8000000000000000744431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseDWORD (0x00000e10) 13241300x8000000000000000744430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpServer10.0.1.1 13241300x8000000000000000744429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000744428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpIPAddress10.0.1.14 13241300x8000000000000000744427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000744426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMaskOptBinary Data 13241300x8000000000000000744425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDefaultGatewayBinary Data 13241300x8000000000000000744424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpNameServer10.0.0.2 13241300x8000000000000000744423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x8000000000000000744421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000744420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000744419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000744416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000744415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000744414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x8000000000000000744413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T2DWORD (0x00000000) 13241300x8000000000000000744412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T1DWORD (0x00000000) 13241300x8000000000000000744411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseObtainedTimeDWORD (0x00000000) 13241300x8000000000000000744410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseDWORD (0x00000000) 13241300x8000000000000000744409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpServer255.255.255.255 13241300x8000000000000000744408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMask255.0.0.0 13241300x8000000000000000744407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpIPAddress0.0.0.0 12241200x8000000000000000744406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpInterfaceOptions 13241300x8000000000000000744405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\Dhcpv6StateDWORD (0x00000001) 12241200x8000000000000000744404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDefaultGateway 12241200x8000000000000000744403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMaskOpt 12241200x8000000000000000744402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDomain 12241200x8000000000000000744401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x8000000000000000744400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpNameServer 12241200x8000000000000000744399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x8000000000000000744398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\Dhcpv6StateDWORD (0x00000000) 10341000x8000000000000000744397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.138{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.138{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.123{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.123{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.123{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000744392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0A00-000000008502}640104C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7C-634D-0E00-000000008502}10041060C:\Windows\system32\LogonUI.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0800-000000008502}508524C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0900-000000008502}584992C:\Windows\system32\winlogon.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.070{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{A78D3DEB-1A7C-634D-98C0-000000000000}0xc0981SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000744369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.069{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{A78D3DEB-1A7C-634D-E503-000000000000}0x3e50SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0A00-000000008502}640728C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.037{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{A78D3DEB-1A7B-634D-E403-000000000000}0x3e40SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0800-000000008502}508604C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0900-000000008502}584588C:\Windows\system32\winlogon.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.019{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b87055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000744335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852\LSM_API_serviceC:\Windows\system32\svchost.exe 10341000x8000000000000000744325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000744317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000744316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000744315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0700-000000008502}500\Winsock2\CatalogChangeListener-1f4-0C:\Windows\system32\wininit.exe 17141700x8000000000000000744312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.858{A78D3DEB-1A7B-634D-0D00-000000008502}908\epmapperC:\Windows\system32\svchost.exe 10341000x8000000000000000744311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46838|c:\windows\system32\rpcss.dll+7593|c:\windows\system32\rpcss.dll+74fe|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.841{A78D3DEB-1A7B-634D-0D00-000000008502}908\Winsock2\CatalogChangeListener-38c-0C:\Windows\system32\svchost.exe 10341000x8000000000000000744309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.826{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.826{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.810{A78D3DEB-1A79-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.763{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.623{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.607{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.607{A78D3DEB-1A79-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.611{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.591{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:54.966{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x00002fb4) 10341000x8000000000000000744293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0A00-000000008502}640\scerpcC:\Windows\system32\services.exe 10341000x8000000000000000744289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:54.310{A78D3DEB-1A79-634D-0A00-000000008502}640\ntsvcsC:\Windows\system32\services.exe 10341000x8000000000000000744286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.935{A78D3DEB-1A79-634D-0B00-000000008502}648652C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+5ac9c|C:\Windows\system32\lsasrv.dll+63e8f|C:\Windows\system32\lsasrv.dll+6f44e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+46b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.804{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000744281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.748{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.748{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.747{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exewininit.exe 17141700x8000000000000000744278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:53.732{A78D3DEB-1A79-634D-0700-000000008502}500\InitShutdownC:\Windows\system32\wininit.exe 10341000x8000000000000000744277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.607{A78D3DEB-1A79-634D-0600-000000008502}492496C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.599{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000744275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.592{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x8000000000000000744273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-ctus-attack-range-801 10341000x8000000000000000744272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0400-000000008502}408412C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.554{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000744270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A79-634D-0600-000000008502}492496C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.557{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000744268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.551{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000744265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x616de25a) 13241300x8000000000000000744263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000744262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000744261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x8000000000000000744258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.404{A78D3DEB-1A79-634D-0400-000000008502}408412C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.406{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000744256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.279{A78D3DEB-1A73-634D-0200-000000008502}320404C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.279{A78D3DEB-1A73-634D-0200-000000008502}320404C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.282{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000744253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.748{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000744252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:50.732{A78D3DEB-1A73-634D-0200-000000008502}320324C:\Windows\System32\smss.exe{A78D3DEB-1A76-634D-0300-000000008502}356C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:50.725{A78D3DEB-1A76-634D-0300-000000008502}356C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000744250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000744241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x8000000000000000744233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x8000000000000000744232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x8000000000000000744231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x8000000000000000744230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x8000000000000000744229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e3294f0) 13241300x8000000000000000744228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e3294f0) 13241300x8000000000000000744227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000744224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000744222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000744221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMinorVersionDWORD (0x00000037) 13241300x8000000000000000744213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000744211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000744207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.701{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000744205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{0d7110ed-3f2e-11ed-abb2-806e6f6e6963}#0000000000100000 13241300x8000000000000000744202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{0d7110ed-3f2e-11ed-abb2-806e6f6e6963}#0000000000100000 434400x8000000000000000744199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local2022-10-17 09:04:10.176Started13.014.50 10341000x8000000000000000517369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.770{5C0BDE06-1A8B-634D-6B00-000000008502}36083612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.449{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.446{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.446{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000517355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.483{5C0BDE06-1A79-634D-1500-000000008502}1036win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000745565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.992{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.982{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.978{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.977{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.977{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.976{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.976{A78D3DEB-1A89-634D-2E00-000000008502}27001640C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+64d7e 154100x8000000000000000745552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.730{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2680C09DDBD3B36FB9E1CA1BCC5CDCD6,SHA256=39896033C6C4FB84827E4CD1264241759BB38FC25C8CE110CF84D59C25517491,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x8000000000000000745551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.723{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-4300-000000008502}3564C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4300-000000008502}3564C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A8B-634D-4200-000000008502}35243528C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8B-634D-4300-000000008502}3564C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.720{A78D3DEB-1A8B-634D-4300-000000008502}3564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8B-634D-4200-000000008502}3524C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x8000000000000000745538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.715{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-4200-000000008502}3524C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.714{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.714{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.714{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4200-000000008502}3524C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A8B-634D-4100-000000008502}35123516C:\Windows\system32\cmd.exe{A78D3DEB-1A8B-634D-4200-000000008502}3524C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.713{A78D3DEB-1A8B-634D-4200-000000008502}3524C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8B-634D-4100-000000008502}3512C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x8000000000000000745525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.710{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-4100-000000008502}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.708{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.708{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.708{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.708{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4100-000000008502}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A8B-634D-3A00-000000008502}33003304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8B-634D-4100-000000008502}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11e04|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.707{A78D3DEB-1A8B-634D-4100-000000008502}3512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000745512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.675{A78D3DEB-1A8B-634D-4000-000000008502}34443448C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000745511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:11.563{A78D3DEB-1A89-634D-3000-000000008502}2832\aurora-agent-pprofC:\Program Files\Aurora-Agent\aurora-agent.exe 17141700x8000000000000000745510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:11.563{A78D3DEB-1A89-634D-3000-000000008502}2832\aurora-agent-statusC:\Program Files\Aurora-Agent\aurora-agent.exe 13241300x8000000000000000745509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:11.552{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 13241300x8000000000000000745508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:11.552{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000745507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:11.552{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\CustomSourceDWORD (0x00000001) 12241200x8000000000000000745506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:04:11.551{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent 17141700x8000000000000000745505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:11.551{A78D3DEB-1A79-634D-0A00-000000008502}640\Winsock2\CatalogChangeListener-280-0C:\Windows\system32\services.exe 10341000x8000000000000000745504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.547{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000745503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.546{A78D3DEB-1A89-634D-3000-000000008502}2832NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent.exeC:\Program Files\Aurora-Agent\service-startup.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000745500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000745499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000745497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7C-634D-1600-000000008502}12361556C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A89-634D-2800-000000008502}26002196C:\Windows\system32\DFSRs.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.486{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000745492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000745491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000745489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000745488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A89-634D-2800-000000008502}26002944C:\Windows\system32\DFSRs.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c3ca|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000745485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000745484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x8000000000000000745483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000745482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.462{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000745481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.458{A78D3DEB-1A89-634D-2800-000000008502}26002944C:\Windows\system32\DFSRs.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c1bd|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.451{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-4000-000000008502}3444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-4000-000000008502}3444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.408{A78D3DEB-1A8B-634D-3F00-000000008502}34243428C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8B-634D-4000-000000008502}3444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.409{A78D3DEB-1A8B-634D-4000-000000008502}3444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8B-634D-3F00-000000008502}3424C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000745465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3F00-000000008502}3424C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3F00-000000008502}3424C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A8B-634D-3E00-000000008502}34123416C:\Windows\system32\cmd.exe{A78D3DEB-1A8B-634D-3F00-000000008502}3424C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.396{A78D3DEB-1A8B-634D-3F00-000000008502}3424C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8B-634D-3E00-000000008502}3412C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000745452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.392{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3E00-000000008502}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3E00-000000008502}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A8B-634D-3A00-000000008502}33003304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8B-634D-3E00-000000008502}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a87|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.390{A78D3DEB-1A8B-634D-3E00-000000008502}3412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000745439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.381{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.347{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.317{A78D3DEB-1A8B-634D-3D00-000000008502}33523356C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.283{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.258{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.257{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.257{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.257{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.256{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.256{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.256{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.255{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.254{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.251{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.218{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.218{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.217{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000745421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.215{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.184{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.150{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.118{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.083{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3D00-000000008502}3352C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3D00-000000008502}3352C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A8B-634D-3C00-000000008502}33323336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8B-634D-3D00-000000008502}3352C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.043{A78D3DEB-1A8B-634D-3D00-000000008502}3352C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8B-634D-3C00-000000008502}3332C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x8000000000000000745369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3C00-000000008502}3332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3C00-000000008502}3332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A8B-634D-3B00-000000008502}33203324C:\Windows\system32\cmd.exe{A78D3DEB-1A8B-634D-3C00-000000008502}3332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.033{A78D3DEB-1A8B-634D-3C00-000000008502}3332C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8B-634D-3B00-000000008502}3320C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x8000000000000000745363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3B00-000000008502}3320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3B00-000000008502}3320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A8B-634D-3A00-000000008502}33003304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8B-634D-3B00-000000008502}3320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a26|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.026{A78D3DEB-1A8B-634D-3B00-000000008502}3320C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000745350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.009{A78D3DEB-1A8B-634D-3900-000000008502}32883292C:\Windows\system32\cmd.exe{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.011{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{A78D3DEB-1A8B-634D-3900-000000008502}3288C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000745337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.994{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8B-634D-3900-000000008502}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.994{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8B-634D-3900-000000008502}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.994{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A8B-634D-3900-000000008502}3288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe508|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.005{A78D3DEB-1A8B-634D-3900-000000008502}3288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.994{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.978{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.978{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A8A-634D-3600-000000008502}31963216C:\Windows\system32\conhost.exe{A78D3DEB-1A8A-634D-3700-000000008502}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3700-000000008502}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.962{A78D3DEB-1A8A-634D-3500-000000008502}31883192C:\Windows\system32\cmd.exe{A78D3DEB-1A8A-634D-3700-000000008502}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.952{A78D3DEB-1A8A-634D-3700-000000008502}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{A78D3DEB-1A8A-634D-3500-000000008502}3188C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x8000000000000000745317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.947{A78D3DEB-1A8A-634D-3400-000000008502}31243152C:\Windows\system32\wbem\wmiprvse.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\combase.dll+abdc2|C:\Windows\System32\combase.dll+acaee|C:\Windows\System32\combase.dll+ac8ff|C:\Windows\System32\combase.dll+2f278|C:\Windows\System32\combase.dll+2ee90|C:\Windows\System32\combase.dll+3be54|C:\Windows\System32\combase.dll+c2964|C:\Windows\System32\combase.dll+38f11|C:\Windows\System32\combase.dll+3a860|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000745316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A8A-634D-3600-000000008502}31963216C:\Windows\system32\conhost.exe{A78D3DEB-1A8A-634D-3500-000000008502}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.931{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.915{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3196C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.899{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.899{A78D3DEB-1A89-634D-2A00-000000008502}26162620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{00000000-0000-0000-0000-000000000000}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11ad65|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.913{A78D3DEB-1A8A-634D-3500-000000008502}3188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.852{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.836{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.836{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.805{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.788{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.757{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.726{A78D3DEB-1A7C-634D-1600-000000008502}12362096C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1033a|C:\Windows\system32\wbem\wbemcore.dll+2d14f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.781{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.781{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.779{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.779{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.733{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.733{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.671{5C0BDE06-1A8C-634D-6C00-000000008502}36883692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.449{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8C-634D-6C00-000000008502}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.439{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.439{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.438{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.438{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.438{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.438{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.438{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.437{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.437{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.436{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8C-634D-6C00-000000008502}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.436{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8C-634D-6C00-000000008502}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.226{5C0BDE06-1A8C-634D-6C00-000000008502}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x8000000000000000517419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:12.359{5C0BDE06-1A8A-634D-6900-000000008502}3540\PSHost.133104710503315928.3540.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.341{5C0BDE06-1A8A-634D-6900-000000008502}3540NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_23mpp5o0.h0z.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.339{5C0BDE06-1A8A-634D-6900-000000008502}3540NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_s3octqvu.sb2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.103{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.103{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.103{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.089{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.089{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.089{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.087{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.087{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.087{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.085{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.085{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.085{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.082{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.080{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.080{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 354300x8000000000000000517394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.325{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49683-false169.254.169.254-80http 354300x8000000000000000517393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.324{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49682-false169.254.169.254-80http 10341000x8000000000000000517392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.059{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.059{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.059{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.059{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.059{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.054{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.054{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 11241100x8000000000000000517385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.054{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_s3octqvu.sb2.ps12022-10-17 09:04:12.054 10341000x8000000000000000517384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.035{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.027{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.027{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.026{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.026{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.024{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.024{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.014{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.014{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.014{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.013{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.013{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.009{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.006{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:12.006{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000745713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.997{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.989{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.817{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4F00-000000008502}3992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.815{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.814{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.814{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4F00-000000008502}3992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.814{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8C-634D-4F00-000000008502}3992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+3462b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+153d1|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.814{A78D3DEB-1A8C-634D-4F00-000000008502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000745698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.783{A78D3DEB-1A8C-634D-4E00-000000008502}39523956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.506{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4E00-000000008502}3952C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.506{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.506{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4E00-000000008502}3952C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.491{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8C-634D-4E00-000000008502}3952C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15392|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.499{A78D3DEB-1A8C-634D-4E00-000000008502}3952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000745682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A8C-634D-4C00-000000008502}39203924C:\Windows\system32\cmd.exe{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.485{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x8000000000000000745669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.475{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.470{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.470{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11389a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.471{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.469{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000745655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.864{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-58844- 354300x8000000000000000745654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.755{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-54132- 354300x8000000000000000745653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.614{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-63211- 354300x8000000000000000745652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.235{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-61489- 354300x8000000000000000745651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.232{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62561- 354300x8000000000000000745650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.232{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62561-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000745649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.195{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49678-false169.254.169.254-80http 354300x8000000000000000745648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.194{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49677-false169.254.169.254-80http 10341000x8000000000000000745647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.443{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.426{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.426{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.426{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.425{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.424{A78D3DEB-1A8B-634D-4400-000000008502}35843672C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000745635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.415{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000745634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.384{A78D3DEB-1A8C-634D-4900-000000008502}37883792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.329{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.328{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.285{A78D3DEB-1A7C-634D-1600-000000008502}12362096C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.272{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.258{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.258{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.256{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.256{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.256{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.105{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.103{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.103{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.100{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.100{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.100{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.100{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.099{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.098{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4900-000000008502}3788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.097{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.096{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4900-000000008502}3788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.096{A78D3DEB-1A8C-634D-4800-000000008502}37563760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8C-634D-4900-000000008502}3788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.096{A78D3DEB-1A8C-634D-4900-000000008502}3788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8C-634D-4800-000000008502}3756C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list watchdog --no-log 10341000x8000000000000000745587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.095{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.094{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.094{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.091{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4800-000000008502}3756C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.089{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4800-000000008502}3756C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.088{A78D3DEB-1A8C-634D-4700-000000008502}37443748C:\Windows\system32\cmd.exe{A78D3DEB-1A8C-634D-4800-000000008502}3756C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.089{A78D3DEB-1A8C-634D-4800-000000008502}3756C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8C-634D-4700-000000008502}3744C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-log 10341000x8000000000000000745574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.087{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.085{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8C-634D-4700-000000008502}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.084{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.084{A78D3DEB-1A8B-634D-4400-000000008502}35843696C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000745570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.074{A78D3DEB-1A8C-634D-4600-000000008502}3728C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000745569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.082{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8C-634D-4700-000000008502}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.082{A78D3DEB-1A8B-634D-3A00-000000008502}33003304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8C-634D-4700-000000008502}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11f3c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.082{A78D3DEB-1A8C-634D-4700-000000008502}3744C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8B-634D-3A00-000000008502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000745566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.047{A78D3DEB-1A8B-634D-4300-000000008502}35643568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000517478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.996{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2fczij1p.wha.ps12022-10-17 09:04:13.996 10341000x8000000000000000517477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.691{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.685{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.672{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.642{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.639{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.639{5C0BDE06-1A7B-634D-3C00-000000008502}30121204C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.638{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000517461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.618{5C0BDE06-1A8A-634D-6900-000000008502}3540NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.609{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.609{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.609{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.601{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.429{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D53AD19CA14F7AB235861AE232D908BA,SHA256=C417B67C2ACA43317AE72504AA04DCC1DF8DE68874CA661B0ABDF38C36765539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.413{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.413{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.413{5C0BDE06-1A8D-634D-6D00-000000008502}37523756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+612c85|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6127b6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6130a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6175e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+9f3c34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.210{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.179{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.002{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.2.5Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=AB96D2BD3910F3BD75B0A3D92F63F465,SHA256=3CD6E00A0209A97B5281D09A97C06CF82CF0197C3C950E8EAFE5BACC4236BEB1,IMPHASH=2E1496526AAA190EABB9573D6C4DC049{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.997{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5500-000000008502}3452C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.996{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.996{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5500-000000008502}3452C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A8D-634D-5400-000000008502}33243320C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8D-634D-5500-000000008502}3452C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.995{A78D3DEB-1A8D-634D-5500-000000008502}3452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8D-634D-5400-000000008502}3324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x8000000000000000745794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.990{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5400-000000008502}3324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.989{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.989{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.989{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5400-000000008502}3324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.987{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8D-634D-5400-000000008502}3324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1551b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.988{A78D3DEB-1A8D-634D-5400-000000008502}3324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000745781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.945{A78D3DEB-1A8D-634D-5300-000000008502}33443340C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.631{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5300-000000008502}3344C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.630{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.630{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.630{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.630{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5300-000000008502}3344C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A8D-634D-5200-000000008502}33643360C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8D-634D-5300-000000008502}3344C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.629{A78D3DEB-1A8D-634D-5300-000000008502}3344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8D-634D-5200-000000008502}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x8000000000000000745767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.621{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5200-000000008502}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5200-000000008502}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8D-634D-5200-000000008502}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154e7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.619{A78D3DEB-1A8D-634D-5200-000000008502}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 22542200x8000000000000000745754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.069{A78D3DEB-1A79-634D-0B00-000000008502}648win-dc-ctus-attack-range-801010.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000745753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.067{A78D3DEB-1A89-634D-2700-000000008502}2572win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x8000000000000000745752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.441{A78D3DEB-1A8D-634D-5100-000000008502}32003248C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.399{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.399{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000745749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.210{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000745748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.018{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51335- 354300x8000000000000000745747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.017{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9850:66b7:3ba:ffff-51335-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000745746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.864{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-51319- 10341000x8000000000000000745745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.164{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5100-000000008502}3200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.161{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.161{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.161{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5100-000000008502}3200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.161{A78D3DEB-1A8D-634D-5000-000000008502}40644068C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8D-634D-5100-000000008502}3200C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.161{A78D3DEB-1A8D-634D-5100-000000008502}3200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8D-634D-5000-000000008502}4064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 17141700x8000000000000000745732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:13.142{A78D3DEB-1A8C-634D-4B00-000000008502}3880\PSHost.133104710524155752.3880.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000745731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.134{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8D-634D-5000-000000008502}4064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.133{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.133{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.133{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8D-634D-5000-000000008502}4064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.131{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8D-634D-5000-000000008502}4064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154b3|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.132{A78D3DEB-1A8D-634D-5000-000000008502}4064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x8000000000000000745718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.129{A78D3DEB-1A8C-634D-4B00-000000008502}3880NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ll2jfyha.mqo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000745717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.128{A78D3DEB-1A8C-634D-4B00-000000008502}3880NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2pp4odzi.g0p.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.091{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4F00-000000008502}3992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.086{A78D3DEB-1A8C-634D-4F00-000000008502}39923996C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000745714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.027{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2pp4odzi.g0p.ps12022-10-17 09:04:13.027 10341000x8000000000000000517566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.983{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.982{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000517564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:14.958{5C0BDE06-1A8E-634D-7200-000000008502}3188\PSHost.133104710548274010.3188.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.946{5C0BDE06-1A8E-634D-7200-000000008502}3188NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_lniok0zz.afy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.934{5C0BDE06-1A8E-634D-7200-000000008502}3188NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_wbbdltz1.st4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000517561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.905{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_wbbdltz1.st4.ps12022-10-17 09:04:14.904 10341000x8000000000000000517560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.885{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.858{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.830{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.828{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.827{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.827{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.827{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.827{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.827{5C0BDE06-1A8E-634D-7200-000000008502}3188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\AwsNitroEnclaves'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000517544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.802{5C0BDE06-1A8E-634D-7100-000000008502}4036NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.791{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.664{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=092C6426BBAEF31070C427FB2C51DE2B,SHA256=33818F35A11BCB4562E8D40CADC3A6AD73D12A8183467640972D7FA405A176E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.658{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53880F2E99E57010118A261920C17974,SHA256=D05B0590FFEC0C6DCBA5FC4DCB131AA24E8831C403732CC78836F61D6783695A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.578{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.578{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000517538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:14.541{5C0BDE06-1A8E-634D-7100-000000008502}4036\PSHost.133104710544752644.4036.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.541{5C0BDE06-1A8E-634D-7100-000000008502}4036NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jbvxoiud.tp0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.541{5C0BDE06-1A8E-634D-7100-000000008502}4036NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ds5hdygo.gys.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000517535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.526{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ds5hdygo.gys.ps12022-10-17 09:04:14.526 10341000x8000000000000000517534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.510{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.510{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.494{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.478{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.476{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.475{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.475{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.475{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.474{5C0BDE06-1A7B-634D-3C00-000000008502}30121204C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.475{5C0BDE06-1A8E-634D-7100-000000008502}4036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000517518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.420{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.420{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.419{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.409{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.409{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.409{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.408{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.407{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.407{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.406{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.407{5C0BDE06-1A8E-634D-7000-000000008502}4004C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000517502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.367{5C0BDE06-1A8D-634D-6E00-000000008502}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.352{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.336{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.066{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8D-634D-6F00-000000008502}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.064{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.064{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.064{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.064{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.064{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.063{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.063{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.063{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.062{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.062{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8D-634D-6F00-000000008502}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.062{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8D-634D-6F00-000000008502}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:13.842{5C0BDE06-1A8D-634D-6F00-000000008502}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.061{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.061{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8D-634D-6E00-000000008502}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000517484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:14.033{5C0BDE06-1A8D-634D-6E00-000000008502}3848\PSHost.133104710536389400.3848.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.024{5C0BDE06-1A8D-634D-6E00-000000008502}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_bjwpn23l.etv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.024{5C0BDE06-1A8D-634D-6E00-000000008502}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2fczij1p.wha.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.009{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.009{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:14.009{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 11241100x8000000000000000746032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.997{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_gyxpein4.4en.ps12022-10-17 09:04:14.996 10341000x8000000000000000746031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4C00-000000008502}3920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.923{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000746000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.922{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.921{A78D3DEB-1A89-634D-3000-000000008502}28323496C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012988190) 10341000x8000000000000000745933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.809{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.804{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.797{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.774{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.773{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.773{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.773{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.773{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.773{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A8B-634D-4400-000000008502}35843588C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000745918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.772{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000745917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.735{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.735{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.734{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.733{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.733{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.733{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.733{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A8E-634D-5A00-000000008502}37923784C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.732{A78D3DEB-1A8E-634D-5B00-000000008502}3748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x8000000000000000745902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.731{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.724{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.723{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A8E-634D-5800-000000008502}37283804C:\Windows\system32\cmd.exe{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A8E-634D-5A00-000000008502}3792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x8000000000000000745880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.721{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.720{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.720{A78D3DEB-1A8B-634D-4400-000000008502}35843672C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000745876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.720{A78D3DEB-1A8E-634D-5900-000000008502}3796C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000745875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.718{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.712{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.710{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15625|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.711{A78D3DEB-1A8E-634D-5800-000000008502}3728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x8000000000000000745862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.689{A78D3DEB-1A8E-634D-5600-000000008502}3428NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.680{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.656{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000745859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.644{A78D3DEB-1A8E-634D-5700-000000008502}3516NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.606{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8E-634D-5700-000000008502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.601{A78D3DEB-1A8E-634D-5700-000000008502}35163512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1325115|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.336{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.336{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.335{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5700-000000008502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.332{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5700-000000008502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.332{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8E-634D-5700-000000008502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1557b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.333{A78D3DEB-1A8E-634D-5700-000000008502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 17141700x8000000000000000745841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:14.315{A78D3DEB-1A8E-634D-5600-000000008502}3428\PSHost.133104710542368707.3428.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000745840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.306{A78D3DEB-1A8E-634D-5600-000000008502}3428NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_3hp0tmzo.mz0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000745839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.304{A78D3DEB-1A8E-634D-5600-000000008502}3428NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ufhavv0p.24g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000745838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.293{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ufhavv0p.24g.ps12022-10-17 09:04:14.293 10341000x8000000000000000745837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.281{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.278{A78D3DEB-1A8D-634D-5500-000000008502}34523508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.276{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.262{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.239{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.237{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.236{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.236{A78D3DEB-1A8B-634D-4400-000000008502}35843588C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000745821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.236{A78D3DEB-1A8E-634D-5600-000000008502}3428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 354300x8000000000000000745820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.389{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62211- 354300x8000000000000000745819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.063{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56037- 354300x8000000000000000745818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.063{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49686-false169.254.169.254-80http 354300x8000000000000000745817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.060{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49685-false169.254.169.254-80http 354300x8000000000000000745816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.059{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49684-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000745815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.059{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49684-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000745814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.058{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49683-false169.254.169.254-80http 354300x8000000000000000745813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.057{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49682-false169.254.169.254-80http 354300x8000000000000000745812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.053{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49681-false169.254.169.254-80http 354300x8000000000000000745811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.051{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49680-false169.254.169.254-80http 354300x8000000000000000745810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:11.237{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62561- 23542300x8000000000000000745809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.216{A78D3DEB-1A8C-634D-4B00-000000008502}3880NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000745808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.201{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4B00-000000008502}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.986{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.985{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.984{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.984{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.984{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.983{5C0BDE06-1A7B-634D-3C00-000000008502}30121204C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.983{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000517616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.951{5C0BDE06-1A8F-634D-7400-000000008502}3416NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.889{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.889{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.889{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.888{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.888{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.887{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.532{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.532{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000517607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:15.498{5C0BDE06-1A8F-634D-7400-000000008502}3416\PSHost.133104710553984881.3416.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.485{5C0BDE06-1A8F-634D-7400-000000008502}3416NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_fnkannii.0qa.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.484{5C0BDE06-1A8F-634D-7400-000000008502}3416NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2ei0nrr5.hdk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000517604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.467{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2ei0nrr5.hdk.ps12022-10-17 09:04:15.466 10341000x8000000000000000517603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.452{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.430{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.401{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.400{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.400{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.399{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.398{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.398{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.398{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.398{5C0BDE06-1A8F-634D-7400-000000008502}3416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000517587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.351{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.351{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.332{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.329{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.329{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.329{5C0BDE06-1A7B-634D-3C00-000000008502}30121204C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.329{5C0BDE06-1A8F-634D-7300-000000008502}3432C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000517571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.327{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.327{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.325{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.325{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000517567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:15.306{5C0BDE06-1A8E-634D-7200-000000008502}3188NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.948{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6600-000000008502}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.947{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.946{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.946{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.946{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6600-000000008502}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.946{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A8F-634D-6600-000000008502}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.946{A78D3DEB-1A8F-634D-6600-000000008502}3768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.842{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6500-000000008502}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6500-000000008502}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.839{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A8F-634D-6500-000000008502}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.840{A78D3DEB-1A8F-634D-6500-000000008502}3532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.835{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.835{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000746176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:15.812{A78D3DEB-1A8F-634D-6400-000000008502}1944\PSHost.133104710557400275.1944.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000746175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.802{A78D3DEB-1A8F-634D-6400-000000008502}1944NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_czr0ew4i.eto.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.800{A78D3DEB-1A8F-634D-6400-000000008502}1944NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_aez4imjo.gdp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000746173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.789{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_aez4imjo.gdp.ps12022-10-17 09:04:15.789 10341000x8000000000000000746172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.780{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.775{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.766{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.742{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.741{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.739{A78D3DEB-1A8B-634D-4400-000000008502}35843696C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000746157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.740{A78D3DEB-1A8F-634D-6400-000000008502}1944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000746156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.694{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.693{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.690{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.682{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.680{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.679{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.679{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.679{A78D3DEB-1A8B-634D-4400-000000008502}35843672C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000746141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.679{A78D3DEB-1A8F-634D-6300-000000008502}3436C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000746140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.661{A78D3DEB-1A8F-634D-6000-000000008502}3336NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.591{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.503{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6200-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6200-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.500{A78D3DEB-1A8F-634D-6100-000000008502}40763208C:\Windows\system32\cmd.exe{A78D3DEB-1A8F-634D-6200-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.501{A78D3DEB-1A8F-634D-6200-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{A78D3DEB-1A8F-634D-6100-000000008502}4076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x8000000000000000746125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.498{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6100-000000008502}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.496{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6100-000000008502}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A8F-634D-6100-000000008502}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1138cf|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.495{A78D3DEB-1A8F-634D-6100-000000008502}4076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000746112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.494{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=187E33D9B56F557FBE6F5D6435CCBD30,SHA256=CCE27D14D09DE791EB046BADB606438CBD915F60507810471DE5FC7D75790BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000746111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.280{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-62276- 354300x8000000000000000746110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.185{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58029- 354300x8000000000000000746109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.185{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63850- 354300x8000000000000000746108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.184{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61447- 354300x8000000000000000746107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.063{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56037- 354300x8000000000000000746106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.504{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56038- 354300x8000000000000000746105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.453{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62034- 354300x8000000000000000746104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.400{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49688-false169.254.169.254-80http 354300x8000000000000000746103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:12.399{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49687-false169.254.169.254-80http 10341000x8000000000000000746102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.460{A78D3DEB-1A8F-634D-5F00-000000008502}40884084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.338{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.338{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000746099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:15.317{A78D3DEB-1A8F-634D-6000-000000008502}3336\PSHost.133104710552413342.3336.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000746098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.308{A78D3DEB-1A8F-634D-6000-000000008502}3336NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_g4xtdptb.1io.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.307{A78D3DEB-1A8F-634D-6000-000000008502}3336NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_crxm00bl.r5s.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000746096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.296{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_crxm00bl.r5s.ps12022-10-17 09:04:15.296 10341000x8000000000000000746095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.286{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.280{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.267{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.244{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A8B-634D-4400-000000008502}35843696C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000746080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.241{A78D3DEB-1A8F-634D-6000-000000008502}3336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\AwsNitroEnclaves'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x8000000000000000746079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.217{A78D3DEB-1A8E-634D-5C00-000000008502}3292NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.208{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.058{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-5F00-000000008502}4088C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.056{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-5F00-000000008502}4088C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A8F-634D-5E00-000000008502}32403244C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{A78D3DEB-1A8F-634D-5F00-000000008502}4088C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.055{A78D3DEB-1A8F-634D-5F00-000000008502}4088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A8F-634D-5E00-000000008502}3240C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000746064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.051{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-5E00-000000008502}3240C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.049{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.049{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.049{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.049{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.049{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-5E00-000000008502}3240C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A8F-634D-5D00-000000008502}39963992C:\Windows\system32\cmd.exe{A78D3DEB-1A8F-634D-5E00-000000008502}3240C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.048{A78D3DEB-1A8F-634D-5E00-000000008502}3240C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{A78D3DEB-1A8F-634D-5D00-000000008502}3996C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000746051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.046{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.046{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8E-634D-5C00-000000008502}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.044{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A8F-634D-5D00-000000008502}3996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.039{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.039{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.039{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.039{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.038{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.038{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.038{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.038{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.038{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.034{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8F-634D-5D00-000000008502}3996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.033{A78D3DEB-1A8C-634D-4D00-000000008502}39323936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{A78D3DEB-1A8F-634D-5D00-000000008502}3996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+156ca|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.034{A78D3DEB-1A8F-634D-5D00-000000008502}3996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A8C-634D-4D00-000000008502}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 17141700x8000000000000000746036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:15.021{A78D3DEB-1A8E-634D-5C00-000000008502}3292\PSHost.133104710547724254.3292.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000746035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.011{A78D3DEB-1A8E-634D-5C00-000000008502}3292NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_uapeoif0.2z0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.009{A78D3DEB-1A8E-634D-5C00-000000008502}3292NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_gyxpein4.4en.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.999{A78D3DEB-1A8E-634D-5B00-000000008502}37483744C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.511{5C0BDE06-1A8F-634D-7500-000000008502}2792NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.499{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.123{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.123{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000517636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:16.092{5C0BDE06-1A8F-634D-7500-000000008502}2792\PSHost.133104710559836002.2792.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000517635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.075{5C0BDE06-1A8F-634D-7500-000000008502}2792NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_cumml0js.ceg.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.059{5C0BDE06-1A8F-634D-7500-000000008502}2792NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tvbqldsx.hlv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000517633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.044{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tvbqldsx.hlv.ps12022-10-17 09:04:16.044 10341000x8000000000000000517632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.028{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.028{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:16.012{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A8F-634D-7500-000000008502}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.989{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.949{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.913{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.880{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.806{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.782{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6F00-000000008502}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.781{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.780{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6F00-000000008502}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.780{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6F00-000000008502}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.780{A78D3DEB-1A90-634D-6F00-000000008502}3224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.699{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6E00-000000008502}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.696{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.677{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6E00-000000008502}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.677{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6E00-000000008502}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.677{A78D3DEB-1A90-634D-6E00-000000008502}3924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.576{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6D00-000000008502}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.574{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.573{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6D00-000000008502}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.573{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6D00-000000008502}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.573{A78D3DEB-1A90-634D-6D00-000000008502}3948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000746302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.837{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50244- 354300x8000000000000000746301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.185{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63850- 354300x8000000000000000746300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.185{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61447- 354300x8000000000000000746299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.185{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58029- 354300x8000000000000000746298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:14.018{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local51335- 354300x8000000000000000746297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.500{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56038- 354300x8000000000000000746296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.448{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62034- 354300x8000000000000000746295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:13.389{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62211- 10341000x8000000000000000746294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.472{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6C00-000000008502}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.471{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.471{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.471{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.471{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.471{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.470{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.469{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6C00-000000008502}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.469{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6C00-000000008502}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.470{A78D3DEB-1A90-634D-6C00-000000008502}3244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.365{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6B00-000000008502}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.364{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.364{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.364{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6B00-000000008502}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6B00-000000008502}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.363{A78D3DEB-1A90-634D-6B00-000000008502}4080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.266{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.266{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.261{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6A00-000000008502}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.259{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.258{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6A00-000000008502}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.258{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6A00-000000008502}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.258{A78D3DEB-1A90-634D-6A00-000000008502}4060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x8000000000000000746253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:16.246{A78D3DEB-1A90-634D-6900-000000008502}3784\PSHost.133104710561789256.3784.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000746252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.237{A78D3DEB-1A90-634D-6900-000000008502}3784NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ictolycx.0xk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.236{A78D3DEB-1A90-634D-6900-000000008502}3784NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_aitte4wl.jwf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000746250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.224{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_aitte4wl.jwf.ps12022-10-17 09:04:16.224 10341000x8000000000000000746249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.215{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.210{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.203{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.181{A78D3DEB-1A8B-634D-4500-000000008502}36083632C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.178{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.178{A78D3DEB-1A8B-634D-4400-000000008502}35843588C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000746234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.178{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000746233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.157{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6800-000000008502}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000746232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.157{A78D3DEB-1A8F-634D-6400-000000008502}1944NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.156{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.155{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.155{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.155{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6800-000000008502}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.155{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6800-000000008502}3316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.155{A78D3DEB-1A90-634D-6800-000000008502}3316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.126{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000746218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:16.123{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0x6eef2155) 10341000x8000000000000000746217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.054{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-6700-000000008502}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.051{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.051{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-6700-000000008502}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.051{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-6700-000000008502}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.051{A78D3DEB-1A90-634D-6700-000000008502}3760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:17.386{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.987{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.956{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.923{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.893{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.858{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.827{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.796{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.765{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.733{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.701{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.669{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.637{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.616{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A90-634D-7000-000000008502}3344C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.614{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.613{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A90-634D-7000-000000008502}3344C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.613{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.613{A78D3DEB-1A89-634D-2A00-000000008502}26163252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A90-634D-7000-000000008502}3344C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.886{A78D3DEB-1A90-634D-7000-000000008502}3344C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.602{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.571{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.532{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.501{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000746365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.118{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x8000000000000000746364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:15.837{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50244- 10341000x8000000000000000746363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.469{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.437{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.405{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.374{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.300{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.266{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.235{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.203{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.172{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.140{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.109{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000746351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.086{A78D3DEB-1A90-634D-6900-000000008502}3784NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.074{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A90-634D-6900-000000008502}3784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.073{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.039{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.994{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.955{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.920{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.886{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.851{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.816{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.763{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.730{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.692{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.586{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.536{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.483{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000746413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.121{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60423- 354300x8000000000000000746412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.120{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62766- 354300x8000000000000000746411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.595{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-59053- 354300x8000000000000000746410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.122{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local138netbios-dgm 354300x8000000000000000746409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.122{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000746408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.120{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60423- 354300x8000000000000000746407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:16.119{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62766- 10341000x8000000000000000746406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.409{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.342{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.309{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.275{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.207{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.174{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.117{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.085{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.052{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.020{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.813{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.701{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000746433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.285{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-55914- 354300x8000000000000000746432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:17.271{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56039- 10341000x8000000000000000746431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.132{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.097{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.062{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.028{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000517660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:18.363{5C0BDE06-1A79-634D-1600-000000008502}1220us-east-2.compute.internal1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.611{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.608{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.607{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.605{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.601{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.586{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.555{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.539{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.523{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.509{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.500{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.492{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.485{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.473{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.464{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.453{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.441{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:20.435{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 354300x8000000000000000746472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.274{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61444- 354300x8000000000000000746471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.272{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56039- 354300x8000000000000000746470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:18.261{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-52345- 10341000x8000000000000000746469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.216{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.216{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.216{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.216{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.215{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.213{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.213{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.213{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.213{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.211{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.211{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.205{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.205{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.205{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.200{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.200{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.200{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.199{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.199{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.199{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.197{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.197{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.195{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.195{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.186{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.186{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.185{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.070{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x8000000000000000517677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:48.466C:\Windows\System32\drivers\npcap.sysMD5=0248E428603D75C9B57ECE50A6AF8BD8,SHA256=4FACA21D8E1D609E53B606039DE2AFF06E1067023BEE7FC2492244E32E6AA9F5,IMPHASH=091E865D116FE7C227508B3A9EB8C4D2trueInsecure.Com LLCValid 644600x8000000000000000517676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:48.294C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 644600x8000000000000000517675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.466C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 10341000x8000000000000000517674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.054{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.052{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.044{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.040{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.035{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.035{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.031{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.029{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.026{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.025{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.024{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.018{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.015{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000517661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:21.009{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 23542300x8000000000000000746476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:21.936{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=72FF47CCB7A602CD21A3F76E0DE290D7,SHA256=CB7F75638EA8A7F2688EC09B03489E0012528D48AF33DBD5BF584B211AF53810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:21.933{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=F42383F9DDFEC93181C2898E9A1A23D5,SHA256=CDF46B6DC28A3B3CBFE78F85971D72B07954AA9D0BEB7FD9A65A52024846DF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:21.928{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=1C45EB36B14B2771A4532C8526035FEB,SHA256=3FD44CDE32DF5F0576D9BEBC14593608073FAAF79C2AE02AD530DA018E21C758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000746473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:19.274{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61444- 644600x8000000000000000517678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:48.607C:\Windows\System32\drivers\ena.sysMD5=65A3B3392440F3A0D5C872E0A2BC60D2,SHA256=D43D6DDFDC6038FE22A8ED708AD1C19FAF080C939E34D4E826B7F65948E8F9E1,IMPHASH=6FFD351A81BB8A4D4E0238012A115086trueAmazon Web Services, Inc.Valid 354300x8000000000000000746545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.757{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-61244- 354300x8000000000000000746544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:20.332{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15-53226- 10341000x8000000000000000746543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.554{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.554{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A96-634D-7200-000000008502}3244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.553{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.552{A78D3DEB-1A96-634D-7100-000000008502}23204068C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{A78D3DEB-1A96-634D-7200-000000008502}3244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+5fc32|C:\Windows\System32\KERNELBASE.dll+5f7c6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+4b8b6b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+1fe749|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201333|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+c41921|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.530{A78D3DEB-1A96-634D-7200-000000008502}3244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe1.55Npcap OEM 1.55 installerNpcap OEM--/winpcap_mode=no /no_kill=yes /SC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=0FE4958B3C68EF3822F99F158FEA850C,SHA256=1F035C0498863B41B64DF87099EC20F80C6DB26B12D27B5AFEF1C1AD3FA28690,IMPHASH=DFB595641ED97366338A474595C7BE08{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" 10341000x8000000000000000746531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.500{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.500{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.498{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.498{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.493{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.493{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.493{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.493{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.491{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.491{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.420{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.417{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.417{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.415{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.415{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.415{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.415{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.339{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.339{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.339{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.339{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.338{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.338{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.337{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.337{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.332{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.332{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.330{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.330{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.155{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.155{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.155{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.155{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.154{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.153{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.153{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.153{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.151{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.151{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.140{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.140{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.140{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.140{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.138{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.138{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.048{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.048{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.044{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.043{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000517681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.107{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000517680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:23.247{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:23.247{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 22542200x8000000000000000746585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.028{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x8000000000000000746584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.409{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.409{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.407{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.407{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.407{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.405{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.405{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.405{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.404{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.404{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.404{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.401{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A97-634D-7300-000000008502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.334{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A97-634D-7300-000000008502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.331{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.331{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.331{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.331{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.331{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A97-634D-7300-000000008502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.330{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A97-634D-7300-000000008502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.093{A78D3DEB-1A97-634D-7300-000000008502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.2.5Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=6C9AC5FDD1CC3DE4B5CE3554BB97C44D,SHA256=0A50534D41D6E6CB8CF82D11B50318C26429D606EF43C9B9DC10C9098B87DE77,IMPHASH=B93C7B1A01AE4E8C3FA69FD9F2A758E7{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.259{A78D3DEB-1A96-634D-7100-000000008502}23203932C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+20199b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a72093|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000746552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.247{A78D3DEB-1A96-634D-7200-000000008502}3244NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\System.dllMD5=F020A8D9EDE1FB2AF3651AD6E0AC9CB1,SHA256=7EFE73A8D32ED1B01727AD4579E9EEC49C9309F2CB7BF03C8AFA80D70242D1C0,IMPHASH=FC0224E99E736751432961DB63A41B76truetrue 23542300x8000000000000000746551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.244{A78D3DEB-1A96-634D-7200-000000008502}3244NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\options.iniMD5=D5B270807BD5E8E117DB66010FD51AFA,SHA256=5A5E297948D13919E4432A5F7544DA14DE5ACCBE6D228F32162669148853EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.241{A78D3DEB-1A96-634D-7200-000000008502}3244NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\InstallOptions.dllMD5=170C17AC80215D0A377B42557252AE10,SHA256=61EA114D9D0CD1E884535095AA3527A6C28DF55A4ECEE733C8C398F50B84CC3D,IMPHASH=4B45B7E00344A87332FBD12653854D1Atruetrue 23542300x8000000000000000746549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.238{A78D3DEB-1A96-634D-7200-000000008502}3244NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\final.iniMD5=CAE757421DB8D011E41266BFD9439885,SHA256=FF350A68202AADB145F590C8579F9284D2E3C324B0369FDE39E5A3A31D7B8204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.233{A78D3DEB-1A96-634D-7200-000000008502}3244NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsh900C.tmpMD5=E885C9B9629ECE93849C22D33B660A41,SHA256=DFCC6C69907CCFB159D25532905C5C55CA8592FDF30E136E0C1F836467880769,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000746547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:04:23.213{A78D3DEB-1A96-634D-7200-000000008502}3244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\System.dll2022-10-17 09:04:23.213 11241100x8000000000000000746546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:04:23.189{A78D3DEB-1A96-634D-7200-000000008502}3244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsw901C.tmp\InstallOptions.dll2022-10-17 09:04:23.189 10341000x8000000000000000746627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.968{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.968{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.863{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A98-634D-7500-000000008502}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.861{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.860{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.860{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.860{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A98-634D-7500-000000008502}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.860{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A98-634D-7500-000000008502}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.646{A78D3DEB-1A98-634D-7500-000000008502}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.856{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.856{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.843{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.843{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.843{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.843{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.841{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.841{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.816{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.815{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000746600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.262{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57041- 22542200x8000000000000000746599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:22.524{A78D3DEB-1A96-634D-7100-000000008502}2320win-dc-ctus-attack-range-8010fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x8000000000000000746598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.094{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A97-634D-7400-000000008502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.092{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.091{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.091{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.091{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A97-634D-7400-000000008502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.091{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A97-634D-7400-000000008502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.869{A78D3DEB-1A97-634D-7400-000000008502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000746644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:23.263{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57041- 10341000x8000000000000000746643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.662{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A99-634D-7600-000000008502}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.660{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.659{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A99-634D-7600-000000008502}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.658{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A99-634D-7600-000000008502}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.422{A78D3DEB-1A99-634D-7600-000000008502}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000746630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.511{A78D3DEB-1A7C-634D-1400-000000008502}1072WIN-DC-CTUS-ATT.us-east-2.ec2-utilities.amazonaws.com1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000746629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.189{A78D3DEB-1A89-634D-2700-000000008502}2572win-dc-ctus-attack-range-8010fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x8000000000000000746628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.014{A78D3DEB-1A98-634D-7500-000000008502}26243380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.404{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.404{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.404{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.404{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.402{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:26.401{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 354300x8000000000000000746677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.505{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60474- 354300x8000000000000000746676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.329{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63695- 354300x8000000000000000746675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.325{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49692-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.325{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49692-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.504{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60474- 354300x8000000000000000746672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.451{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:1db:ffff:c8c0:24bf:3ba:ffff-58772-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000746671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.451{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local58772-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000746670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.451{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local137netbios-nsfalse10.0.1.15WIN-HOST-CTUS-A137netbios-ns 22542200x8000000000000000746669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:25.330{A78D3DEB-1A89-634D-2800-000000008502}2600WIN-DC-CTUS-ATT0::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 22542200x8000000000000000746668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:24.513{A78D3DEB-1A96-634D-7100-000000008502}2320win-dc-ctus-attack-range-801.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x8000000000000000746667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.558{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9A-634D-7700-000000008502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.556{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.555{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.554{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A9A-634D-7700-000000008502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.554{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9A-634D-7700-000000008502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.334{A78D3DEB-1A9A-634D-7700-000000008502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.2.5Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=93E4AABDB4C09791F34C1FB96FFB7B34,SHA256=E04D140844ABB2D8C81C9FDC12A1D731CAEE3025C5A723F0358E74A49232797E,IMPHASH=745B5ABFE8841B7D74AD07D845F0D330{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.417{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.417{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.416{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.416{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.415{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.415{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.415{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.414{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.412{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.412{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000517689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:24.555{5C0BDE06-1A74-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal137netbios-nsfalse10.0.1.14-137netbios-ns 10341000x8000000000000000746707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.888{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9B-634D-7900-000000008502}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.887{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.886{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.886{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.886{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A9B-634D-7900-000000008502}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.886{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9B-634D-7900-000000008502}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.886{A78D3DEB-1A9B-634D-7900-000000008502}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000746694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.330{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63695- 354300x8000000000000000746693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.150{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49693-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.150{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49693-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 10341000x8000000000000000746691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.552{A78D3DEB-1A9B-634D-7800-000000008502}37803760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.341{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9B-634D-7800-000000008502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.339{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.339{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.339{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.338{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A9B-634D-7800-000000008502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.337{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9B-634D-7800-000000008502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.110{A78D3DEB-1A9B-634D-7800-000000008502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000517692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:27.337{5C0BDE06-1A79-634D-1D00-000000008502}1896crl.sectigo.com1460-C:\Windows\sysmon64.exe 22542200x8000000000000000517691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:27.319{5C0BDE06-1A79-634D-1D00-000000008502}1896crl.comodoca.com1460-C:\Windows\sysmon64.exe 734700x8000000000000000517690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000746732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.968{A78D3DEB-1A9C-634D-7A00-000000008502}39403936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.779{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9C-634D-7A00-000000008502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.777{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.777{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.777{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.776{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A9C-634D-7A00-000000008502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.775{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9C-634D-7A00-000000008502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.559{A78D3DEB-1A9C-634D-7A00-000000008502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000746718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.975{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49694-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.975{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49694-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.548{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56041- 354300x8000000000000000746715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.548{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60005- 354300x8000000000000000746714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.548{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63696- 22542200x8000000000000000746713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.361{A78D3DEB-1A7C-634D-1400-000000008502}1072www.msftconnecttest.com1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000746712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.360{A78D3DEB-1A7C-634D-1400-000000008502}1072us-east-2.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000746711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:26.846{A78D3DEB-1A7C-634D-1200-000000008502}448wpad1460-C:\Windows\System32\svchost.exe 17141700x8000000000000000746710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:28.135{A78D3DEB-1A7C-634D-1200-000000008502}448\W32TIME_ALTC:\Windows\system32\svchost.exe 10341000x8000000000000000746709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.130{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.056{A78D3DEB-1A9B-634D-7900-000000008502}22082112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000746773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:29.963{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 23542300x8000000000000000746772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.912{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D616C4FDACC454BEA929398CAEAA7233,SHA256=A5F753747B9A91FB14BC509CBDCE46EE7654D218B288E3A436B64DCBE8CE4665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.807{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=A09CDA9534F2A9BA7D3793CB5555643A,SHA256=2645964E73D800EA969685E357E374796D5BF163F412F1AC5517CF5877120852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.787{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=15C9F749E58BE2855223B5E6E4338E5B,SHA256=9051111DF60E9AD60D95079B9898A46DF34AEB33A1C7C2DDCBE1537DEC45D4EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000746769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.123{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56731- 354300x8000000000000000746768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.800{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49695-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.800{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49695-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.549{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56041- 354300x8000000000000000746765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.549{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63696- 354300x8000000000000000746764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:27.549{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60005- 23542300x8000000000000000746763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.764{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=3298EDE0E532648C8C38CF444A665C1C,SHA256=887FF6FE87596B3E975C251C130FA46DD2BC0F6B7F74C54071584A061CC15496,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000746762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.755{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.754{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.752{A78D3DEB-1A9D-634D-7B00-000000008502}32243368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+612c85|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6127b6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6130a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+6175e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+9f3c34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000746759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.130{A78D3DEB-1A7C-634D-1400-000000008502}1072_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000746758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:28.130{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x8000000000000000746757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.638{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.637{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.567{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.565{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.565{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.565{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.565{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.564{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.563{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.336{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.2.5Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=AB96D2BD3910F3BD75B0A3D92F63F465,SHA256=3CD6E00A0209A97B5281D09A97C06CF82CF0197C3C950E8EAFE5BACC4236BEB1,IMPHASH=2E1496526AAA190EABB9573D6C4DC049{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.468{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.468{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.466{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.466{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.465{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.465{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.465{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.464{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.462{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.462{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.869{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.869{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.866{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.866{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.817{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.817{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.817{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000746791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.312{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61812- 354300x8000000000000000746790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.123{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56731- 10341000x8000000000000000746789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.469{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1A9E-634D-7C00-000000008502}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.467{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.467{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A9E-634D-7C00-000000008502}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000746779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.466{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.465{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1A9E-634D-7C00-000000008502}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000746777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.233{A78D3DEB-1A9E-634D-7C00-000000008502}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000746776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.452{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.452{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:30.452{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 22542200x8000000000000000746799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.757{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x8000000000000000746805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:29.962{A78D3DEB-1A7C-634D-1600-000000008502}1236win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 644600x8000000000000000746804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:47.998C:\Windows\System32\drivers\ena.sysMD5=65A3B3392440F3A0D5C872E0A2BC60D2,SHA256=D43D6DDFDC6038FE22A8ED708AD1C19FAF080C939E34D4E826B7F65948E8F9E1,IMPHASH=6FFD351A81BB8A4D4E0238012A115086trueAmazon Web Services, Inc.Valid 644600x8000000000000000746803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:47.857C:\Windows\System32\drivers\npcap.sysMD5=0248E428603D75C9B57ECE50A6AF8BD8,SHA256=4FACA21D8E1D609E53B606039DE2AFF06E1067023BEE7FC2492244E32E6AA9F5,IMPHASH=091E865D116FE7C227508B3A9EB8C4D2trueInsecure.Com LLCValid 644600x8000000000000000746802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:47.654C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 644600x8000000000000000746801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.279C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 10341000x8000000000000000746800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:32.028{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000746807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.966{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x8000000000000000746806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x8000000000000000517693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:32.462{5C0BDE06-1A79-634D-1600-000000008502}1220wpad.us-east-2.ec2-utilities.amazonaws.com1460-C:\Windows\System32\svchost.exe 17141700x8000000000000000746814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:35.639{A78D3DEB-1A89-634D-2D00-000000008502}2672\Winsock2\CatalogChangeListener-a70-0C:\Windows\system32\dns.exe 13241300x8000000000000000746813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:35.638{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-ctus-attack-range-801.attackrange.local 10341000x8000000000000000746812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.634{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x8000000000000000746811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.592{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000746810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.557{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.556{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000746808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:35.556{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 10341000x8000000000000000746888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.953{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.950{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.949{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.946{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.940{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.939{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.937{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.935{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.934{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.933{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.932{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.930{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.912{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.907{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.896{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.892{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.885{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 734700x8000000000000000746871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000746870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.879{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.877{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.877{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.875{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.875{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.875{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.871{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.867{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.867{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.867{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.867{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.865{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.865{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.864{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.863{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.863{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.863{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.863{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.861{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.861{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.861{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.861{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.859{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.859{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.857{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.857{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.857{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.857{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.857{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.856{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.856{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.854{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.852{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.852{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000746833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.851{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.819{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.817{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 354300x8000000000000000746830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.627{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50465- 354300x8000000000000000746829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.627{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50465-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000746828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.626{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49699-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.626{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49699-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.553{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49698-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.553{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49698-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000746824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.550{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local137netbios-ns 354300x8000000000000000746823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.550{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 22542200x8000000000000000746822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.994{A78D3DEB-1A89-634D-2D00-000000008502}2672attackrange.local0type: 2 win-dc-ctus-attack-range-801.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x8000000000000000746821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.992{A78D3DEB-1A89-634D-2D00-000000008502}2672win-dc-ctus-attack-range-801.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x8000000000000000746820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.987{A78D3DEB-1A7C-634D-1400-000000008502}1072WIN-DC-CTUS-ATT.us-east-2.ec2-utilities.amazonaws.com9003-C:\Windows\System32\svchost.exe 22542200x8000000000000000746819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.987{A78D3DEB-1A7C-634D-1400-000000008502}1072us-east-2.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x8000000000000000746818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.983{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9502-C:\Windows\System32\lsass.exe 22542200x8000000000000000746817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.979{A78D3DEB-1A7C-634D-1400-000000008502}1072_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9502-C:\Windows\System32\svchost.exe 22542200x8000000000000000746816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.977{A78D3DEB-1A7C-634D-1400-000000008502}1072us-east-2.compute.internal9502-C:\Windows\System32\svchost.exe 22542200x8000000000000000746815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.561{A78D3DEB-1A89-634D-2D00-000000008502}2672win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 354300x8000000000000000517694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:36.076{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal61812-false10.0.1.14-53domain 354300x8000000000000000746915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.685{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65202- 354300x8000000000000000746914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.392{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65058- 354300x8000000000000000746913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.391{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49701-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000746912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.391{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49701-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local135epmap 22542200x8000000000000000746911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.265{A78D3DEB-1A79-634D-0B00-000000008502}648_msdcs.attackrange.local.0type: 2 win-dc-ctus-attack-range-801.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.263{A78D3DEB-1A79-634D-0B00-000000008502}648_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.262{A78D3DEB-1A79-634D-0B00-000000008502}648759fdc0a-ac69-4c62-85e2-e9eb08f2512a._msdcs.attackrange.local.0type: 5 win-dc-ctus-attack-range-801.attackrange.local;C:\Windows\System32\lsass.exe 22542200x8000000000000000746908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.260{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.433b7f2b-f62b-4cfb-88b9-5dfd4c9c0649.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.258{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.256{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.254{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.252{A78D3DEB-1A79-634D-0B00-000000008502}648attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:36.398{A78D3DEB-1A79-634D-0B00-000000008502}648WIN-DC-CTUS-ATT0::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.999{A78D3DEB-1A89-634D-2D00-000000008502}2672attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 10341000x8000000000000000746901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.345{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.343{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000746899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.309{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=D06EF7A2CF387C19C2DEB9C80615E204,SHA256=65F16F7F6192E53854FBD852005E1299A53A0469C6CFA3FCFCCCAB928213447E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000746898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.304{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=F78FC441A5F89700BE2F593F2B0AD888,SHA256=79D974946DDD458C6258BA27C0E5329D6B2C791FFE568CADD2CB06034E653590,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000746897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.991{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56037-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000746896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.990{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-56037-false127.0.0.1-53domain 354300x8000000000000000746895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.987{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56037- 354300x8000000000000000746894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.987{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:1db:ffff:c8c0:24bf:3ba:ffff-56037-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000746893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.985{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61737- 354300x8000000000000000746892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.971{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-56038-false127.0.0.1-53domain 354300x8000000000000000746891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:35.966{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local52288-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 10341000x8000000000000000746890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.012{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.010{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 22542200x8000000000000000517695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:36.077{5C0BDE06-1A79-634D-1600-000000008502}1220us-east-2.compute.internal9501-C:\Windows\System32\svchost.exe 354300x8000000000000000746982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.290{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56539- 354300x8000000000000000746981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.290{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57200- 354300x8000000000000000746980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.289{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58185- 354300x8000000000000000746979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.288{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58199- 354300x8000000000000000746978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.286{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58936- 354300x8000000000000000746977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.285{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59894- 22542200x8000000000000000746976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.299{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.297{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.296{A78D3DEB-1A79-634D-0B00-000000008502}648ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.294{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.292{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.291{A78D3DEB-1A79-634D-0B00-000000008502}648DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.289{A78D3DEB-1A79-634D-0B00-000000008502}648_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.287{A78D3DEB-1A79-634D-0B00-000000008502}648_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.286{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.284{A78D3DEB-1A79-634D-0B00-000000008502}648_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.282{A78D3DEB-1A79-634D-0B00-000000008502}648_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.280{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.279{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.277{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.275{A78D3DEB-1A79-634D-0B00-000000008502}648_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.274{A78D3DEB-1A79-634D-0B00-000000008502}648gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.272{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.270{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.268{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000746957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.266{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x8000000000000000746956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.284{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64108- 354300x8000000000000000746955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.283{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50401- 354300x8000000000000000746954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.282{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local61792- 354300x8000000000000000746953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.280{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58724- 354300x8000000000000000746952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.280{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59560- 354300x8000000000000000746951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.280{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49703-false8.240.201.126-80http 354300x8000000000000000746950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.278{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56674- 354300x8000000000000000746949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.277{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60160- 354300x8000000000000000746948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.276{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61583- 354300x8000000000000000746947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.275{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58749- 354300x8000000000000000746946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.275{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49259- 354300x8000000000000000746945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.273{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58561- 354300x8000000000000000746944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.272{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63796- 354300x8000000000000000746943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.271{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60030- 354300x8000000000000000746942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.270{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59159- 354300x8000000000000000746941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.270{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62590- 354300x8000000000000000746940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.269{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63695- 354300x8000000000000000746939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.268{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49532- 354300x8000000000000000746938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.267{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57559- 354300x8000000000000000746937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.266{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50941- 354300x8000000000000000746936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.265{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60806- 354300x8000000000000000746935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.264{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64464- 354300x8000000000000000746934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.263{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64369- 354300x8000000000000000746933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.262{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57550- 354300x8000000000000000746932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.261{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63233- 354300x8000000000000000746931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.260{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59446- 354300x8000000000000000746930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.258{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64293- 354300x8000000000000000746929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.258{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63947- 354300x8000000000000000746928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.257{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50189- 354300x8000000000000000746927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.253{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62483- 354300x8000000000000000746926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.252{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61860- 354300x8000000000000000746925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.250{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60848- 354300x8000000000000000746924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.248{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49632- 354300x8000000000000000746923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.247{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local51181- 354300x8000000000000000746922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.246{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59718- 354300x8000000000000000746921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.245{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64218- 354300x8000000000000000746920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.245{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64218-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000746919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.244{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62414- 354300x8000000000000000746918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.244{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62414-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000746917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.211{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49702-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000746916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.211{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49702-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49666- 10341000x8000000000000000746994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.881{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.880{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.878{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.877{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.876{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.875{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.874{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 354300x8000000000000000746987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.695{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58832- 354300x8000000000000000746986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.292{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49576- 22542200x8000000000000000746985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.901{A78D3DEB-1A7C-634D-1100-000000008502}380attackrange.local1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000746984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.370{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000746983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:39.370{A78D3DEB-1A89-634D-3000-000000008502}28323404C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000517727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.662{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.659{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.657{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.656{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.652{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.650{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.647{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.639{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.635{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.633{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.632{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.629{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.627{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.621{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.603{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.598{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.596{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.592{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.583{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.552{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.519{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.507{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.499{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.494{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.484{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.472{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.466{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.457{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.447{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.432{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.427{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:40.424{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 354300x8000000000000000747001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.584{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49707-false172.64.155.188-80http 354300x8000000000000000747000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.572{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57576- 354300x8000000000000000746999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.548{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49706-false104.18.32.68-80http 354300x8000000000000000746998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.536{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58886- 354300x8000000000000000746997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.509{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49705-false172.64.155.188-80http 354300x8000000000000000746996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:38.495{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49886- 354300x8000000000000000746995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:37.706{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49704-false72.21.91.29-80http 13241300x8000000000000000517728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:42.907{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 354300x8000000000000000747004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:40.739{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64333- 354300x8000000000000000747003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:40.739{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63235- 354300x8000000000000000747002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:40.739{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58123- 354300x8000000000000000747008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:42.806{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63792- 10341000x8000000000000000747007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:43.144{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:43.144{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:43.144{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000517729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:42.910{5C0BDE06-1A79-634D-1600-000000008502}1220win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmsswestus.ipv6.microsoft.com.akadns.net;52.241.128.114;C:\Windows\System32\svchost.exe 10341000x8000000000000000747010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.978{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.978{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000747011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.978{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x8000000000000000747021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.986{A78D3DEB-1A7C-634D-1600-000000008502}1236win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x8000000000000000747020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.982{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49713-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000747019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.982{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49713-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000747018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.979{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49712-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000747017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.979{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49712-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000747016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.974{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49711-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 22542200x8000000000000000747015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.980{A78D3DEB-1A79-634D-0B00-000000008502}648win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 354300x8000000000000000747014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.974{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49711-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000747013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.972{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49710-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000747012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:45.972{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49710-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 10341000x8000000000000000517744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.978{5C0BDE06-1AB5-634D-7700-000000008502}37203540C:\Windows\system32\conhost.exe{5C0BDE06-1AB5-634D-7600-000000008502}3700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1AB5-634D-7700-000000008502}3720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AB5-634D-7600-000000008502}3700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A79-634D-1500-000000008502}10361712C:\Windows\system32\svchost.exe{5C0BDE06-1AB5-634D-7600-000000008502}3700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:53.962{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.399{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.398{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.357{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.357{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.357{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.356{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.355{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.355{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.355{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.355{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.354{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.353{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000517772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.074{5C0BDE06-1AB5-634D-7600-000000008502}3700NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=E194E501A281C8C0A0E23CE3F77FA7A7,SHA256=1F92771000954CDBA4BFE7471BFD4459291517EB863C8EABE85282FC2045E3C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.058{5C0BDE06-1A79-634D-1600-000000008502}12201496C:\Windows\System32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1AB5-634D-7700-000000008502}37203540C:\Windows\system32\conhost.exe{5C0BDE06-1AB6-634D-7900-000000008502}3860C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AB6-634D-7900-000000008502}3860C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.027{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.027{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.027{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.027{5C0BDE06-1AB6-634D-7800-000000008502}38923884C:\Windows\system32\cmd.exe{5C0BDE06-1AB6-634D-7900-000000008502}3860C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.039{5C0BDE06-1AB6-634D-7900-000000008502}3860C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5C0BDE06-1AB6-634D-7800-000000008502}3892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x8000000000000000517757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.027{5C0BDE06-1AB5-634D-7700-000000008502}37203540C:\Windows\system32\conhost.exe{5C0BDE06-1AB6-634D-7800-000000008502}3892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1AB6-634D-7800-000000008502}3892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.011{5C0BDE06-1AB5-634D-7600-000000008502}37003656C:\Windows\system32\cmd.exe{5C0BDE06-1AB6-634D-7800-000000008502}3892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.023{5C0BDE06-1AB6-634D-7800-000000008502}3892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1AB5-634D-7600-000000008502}3700C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 354300x8000000000000000747022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:53.897{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55786- 10341000x8000000000000000517798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.625{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.625{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.607{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.607{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.605{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.605{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 354300x8000000000000000517788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:54.021{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49694-false8.240.214.254-80http 23542300x8000000000000000517787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:56.106{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-000MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.995{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.984{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.953{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.943{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.919{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.900{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.894{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.887{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.881{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.870{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.863{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.829{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.825{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 23542300x8000000000000000517799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:57.114{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.912{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.912{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.912{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.911{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.911{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.911{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.909{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.909{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.909{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.909{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.909{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.907{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.907{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:56.111{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62343- 10341000x8000000000000000747094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.555{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.550{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 23542300x8000000000000000747092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.252{A78D3DEB-1AB9-634D-7D00-000000008502}1628NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=B930997A6FBB4A3692E321BE0A07A781,SHA256=DF0847114669893C06E31922CB422AD5515542F89DD50EDD6C5B02010479947C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.234{A78D3DEB-1AB9-634D-7E00-000000008502}20962240C:\Windows\system32\conhost.exe{A78D3DEB-1AB9-634D-8000-000000008502}3928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.232{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.232{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.231{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AB9-634D-8000-000000008502}3928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.230{A78D3DEB-1AB9-634D-7F00-000000008502}35203532C:\Windows\system32\cmd.exe{A78D3DEB-1AB9-634D-8000-000000008502}3928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.230{A78D3DEB-1AB9-634D-8000-000000008502}3928C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{A78D3DEB-1AB9-634D-7F00-000000008502}3520C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x8000000000000000747078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.225{A78D3DEB-1AB9-634D-7E00-000000008502}20962240C:\Windows\system32\conhost.exe{A78D3DEB-1AB9-634D-7F00-000000008502}3520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AB9-634D-7F00-000000008502}3520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.222{A78D3DEB-1AB9-634D-7D00-000000008502}16282188C:\Windows\system32\cmd.exe{A78D3DEB-1AB9-634D-7F00-000000008502}3520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.223{A78D3DEB-1AB9-634D-7F00-000000008502}3520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1AB9-634D-7D00-000000008502}1628C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x8000000000000000747065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.195{A78D3DEB-1AB9-634D-7E00-000000008502}20962240C:\Windows\system32\conhost.exe{A78D3DEB-1AB9-634D-7D00-000000008502}1628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.193{A78D3DEB-1A7C-634D-1400-000000008502}10721564C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.180{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AB9-634D-7E00-000000008502}2096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.175{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.174{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AB9-634D-7D00-000000008502}1628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.174{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.174{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.174{A78D3DEB-1A7C-634D-1600-000000008502}12361372C:\Windows\system32\svchost.exe{A78D3DEB-1AB9-634D-7D00-000000008502}1628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.171{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.083{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.076{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.070{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.063{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.062{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.056{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.039{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.037{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.035{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.032{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.031{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.030{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.028{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:57.027{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000517803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:59.962{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:59.961{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:59.959{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:59.959{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000747111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.591{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.590{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.346{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.672{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.669{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.665{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.663{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.659{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.657{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.650{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.646{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.644{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.639{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.636{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.633{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.632{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.627{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.614{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.612{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.609{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.606{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.590{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.558{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 354300x8000000000000000517815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:58.459{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000517814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.536{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.525{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.517{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.500{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.488{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.478{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.466{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.456{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.437{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.435{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:00.425{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 734700x8000000000000000747182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.958{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 23542300x8000000000000000747181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.870{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.854{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.776{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.776{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000747176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7C-634D-1600-000000008502}12361932C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7C-634D-1600-000000008502}12361932C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.761{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x8000000000000000747154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x8000000000000000747153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x8000000000000000747152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x8000000000000000747151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1101SetValue2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x8000000000000000747150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.714{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000747148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.221{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.190{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000747146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:00.190{A78D3DEB-1A7C-634D-1600-000000008502}1236\scerpcC:\Windows\system32\svchost.exe 23542300x8000000000000000747145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.190{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.175{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.159{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.109{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.106{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.104{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.103{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.101{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.100{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.097{A78D3DEB-1A89-634D-3000-000000008502}28323500C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012780190) 10341000x8000000000000000747132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.080{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000747114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.065{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000747227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.085{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49720-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.085{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49720-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.073{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49719-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.073{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49719-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.341{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49718-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000747222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.341{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49718-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 22542200x8000000000000000747221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:59.347{A78D3DEB-1A7C-634D-1100-000000008502}380win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x8000000000000000747220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.146{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.146{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.123{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.123{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.121{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.121{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.114{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.114{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.112{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.112{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.110{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.110{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.110{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.110{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.107{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.107{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.061{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.061{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.061{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.061{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.061{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.059{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.059{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.059{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.057{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.056{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.050{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.049{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.048{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.045{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.045{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.032{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.032{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.032{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.032{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.030{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.026{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:01.026{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:00.366{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54772- 10341000x8000000000000000517836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:03.664{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000747259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.915{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=D06EF7A2CF387C19C2DEB9C80615E204,SHA256=65F16F7F6192E53854FBD852005E1299A53A0469C6CFA3FCFCCCAB928213447E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.915{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=2D09DD7B842ABDA5B4965F269122CE3C,SHA256=363CC51FDD8C8052C3EAEDE3FE50B3EF710C04F63A0B75F6387922014556EBF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.852{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.852{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.822{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{68fe3e29-f0a4-4c3e-9f05-f292b65d00f4}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000747254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.822{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{68fe3e29-f0a4-4c3e-9f05-f292b65d00f4}\LastProbeTimeDWORD (0x634d1abf) 13241300x8000000000000000747253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.822{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{68FE3E29-F0A4-4C3E-9F05-F292B65D00F4}\DateLastConnectedBinary Data 10341000x8000000000000000747252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.805{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.790{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.790{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.790{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.790{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x8000000000000000747247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.790{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 10341000x8000000000000000747246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.774{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.774{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.727{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000747243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.727{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x8000000000000000747242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.712{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 10341000x8000000000000000747241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.712{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 10341000x8000000000000000747239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.712{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.680{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000747233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.665{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.665{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.649{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000747230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.649{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x8000000000000000747229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:03.649{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 13241300x8000000000000000747280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:04.836{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000559) 354300x8000000000000000747279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.818{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57109- 354300x8000000000000000747278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.802{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64575- 354300x8000000000000000747277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.801{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62467- 354300x8000000000000000747276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.801{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58512- 354300x8000000000000000747275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.801{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62398- 354300x8000000000000000747274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.736{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:3425:2c5c:f5ff:fef1-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000747273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.714{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49723-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.714{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49723-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.667{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49722-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000747270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.667{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49722-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000747269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.653{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63392-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63392- 354300x8000000000000000747268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.627{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63876- 22542200x8000000000000000747267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.828{A78D3DEB-1A7C-634D-1600-000000008502}1236isatap.us-east-2.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x8000000000000000747266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.826{A78D3DEB-1A7C-634D-1400-000000008502}1072fstdmrcgdtue1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000747265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.812{A78D3DEB-1A7C-634D-1200-000000008502}448wpad9003-C:\Windows\System32\svchost.exe 22542200x8000000000000000747264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.810{A78D3DEB-1A79-634D-0B00-000000008502}648_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000747263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.719{A78D3DEB-1A7C-634D-1400-000000008502}1072win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x8000000000000000747262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.672{A78D3DEB-1A7C-634D-1100-000000008502}380win-dc-ctus-attack-range-8010fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x8000000000000000747261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.635{A78D3DEB-1A7C-634D-1600-000000008502}1236win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmsswestus.ipv6.microsoft.com.akadns.net;52.241.128.114;C:\Windows\System32\svchost.exe 13241300x8000000000000000747260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:04.133{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c55) 354300x8000000000000000747328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.913{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49839- 354300x8000000000000000747327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.913{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58804- 354300x8000000000000000747326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.911{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57101- 354300x8000000000000000747325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.909{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50869- 354300x8000000000000000747324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.906{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60297- 354300x8000000000000000747323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.905{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57792- 354300x8000000000000000747322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.903{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58914- 354300x8000000000000000747321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.902{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60947- 354300x8000000000000000747320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.902{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64013- 354300x8000000000000000747319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.900{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49250- 354300x8000000000000000747318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.899{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57082- 354300x8000000000000000747317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.898{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64055- 354300x8000000000000000747316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.897{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61629- 354300x8000000000000000747315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.893{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local61988- 354300x8000000000000000747314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.890{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50006- 354300x8000000000000000747313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.888{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local61043- 354300x8000000000000000747312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.886{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56746- 354300x8000000000000000747311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.882{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61087- 354300x8000000000000000747310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.881{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63910- 354300x8000000000000000747309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.880{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61101- 354300x8000000000000000747308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.878{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65224- 354300x8000000000000000747307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.877{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50462- 354300x8000000000000000747306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.876{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50118- 354300x8000000000000000747305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.875{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local65516- 354300x8000000000000000747304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.873{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63948- 354300x8000000000000000747303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.872{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63044- 354300x8000000000000000747302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.871{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63375- 354300x8000000000000000747301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.868{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65170- 354300x8000000000000000747300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.863{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58888- 354300x8000000000000000747299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.862{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65395- 354300x8000000000000000747298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.859{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57737- 354300x8000000000000000747297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.858{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64431- 354300x8000000000000000747296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.857{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60143- 354300x8000000000000000747295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.857{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62391- 354300x8000000000000000747294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.855{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60638- 354300x8000000000000000747293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.854{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61990- 354300x8000000000000000747292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.853{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60715- 354300x8000000000000000747291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.850{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58680- 354300x8000000000000000747290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:03.849{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57728- 13241300x8000000000000000747289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:05.389{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0x8c4c5fe7) 10341000x8000000000000000747288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.324{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.323{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.313{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.313{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.313{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.313{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.311{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.311{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000747386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.935{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=D06EF7A2CF387C19C2DEB9C80615E204,SHA256=65F16F7F6192E53854FBD852005E1299A53A0469C6CFA3FCFCCCAB928213447E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.935{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=1B6EC7275DB5D31299FA98CD2ADED22E,SHA256=21BE839A142514D3553D7FDC78645207B994B5D7A94F54A6CBDA393459355F69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:04.642{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56709- 10341000x8000000000000000747383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.904{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.904{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.857{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.857{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000747369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x8000000000000000747368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x8000000000000000747367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x8000000000000000747366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000747365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000747364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000747363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\FlagsDWORD (0x00000002) 13241300x8000000000000000747362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\TtlDWORD (0x000004b0) 13241300x8000000000000000747361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentPriUpdateToIpBinary Data 13241300x8000000000000000747360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentUpdateToIpBinary Data 13241300x8000000000000000747359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\DnsServersBinary Data 13241300x8000000000000000747358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\HostAddrsBinary Data 13241300x8000000000000000747357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\PrimaryDomainNameattackrange.local 13241300x8000000000000000747356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x8000000000000000747355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\AdapterDomainName(Empty) 13241300x8000000000000000747354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\Hostnamewin-dc-ctus-attack-range-801 10341000x8000000000000000747353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.810{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000747352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:06.810{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 10341000x8000000000000000747351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000747339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:04.633{A78D3DEB-1A7C-634D-1400-000000008502}1072win-dc-ctus-attack-range-8011460-C:\Windows\System32\svchost.exe 10341000x8000000000000000747338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.273{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.273{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.273{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.273{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.272{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.272{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.272{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.272{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.270{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.270{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.920{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64157- 354300x8000000000000000747433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.918{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57758- 354300x8000000000000000747432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.917{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59328- 354300x8000000000000000747431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.916{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63101- 354300x8000000000000000747430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.915{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61053- 354300x8000000000000000747429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.914{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64382- 354300x8000000000000000747428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.913{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57554- 354300x8000000000000000747427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.912{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63767- 354300x8000000000000000747426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.911{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50486- 354300x8000000000000000747425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.910{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62047- 354300x8000000000000000747424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.908{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59508- 354300x8000000000000000747423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.908{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49968- 354300x8000000000000000747422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.907{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62590- 354300x8000000000000000747421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.903{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56110- 354300x8000000000000000747420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.903{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59871- 354300x8000000000000000747419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.898{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62559- 354300x8000000000000000747418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.898{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61258- 354300x8000000000000000747417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.897{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local51148- 354300x8000000000000000747416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.896{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63954- 354300x8000000000000000747415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.895{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62286- 354300x8000000000000000747414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.894{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57778- 354300x8000000000000000747413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.893{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57060- 354300x8000000000000000747412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.893{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59311- 354300x8000000000000000747411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.892{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local65083- 354300x8000000000000000747410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.891{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60047- 354300x8000000000000000747409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.889{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60748- 354300x8000000000000000747408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.887{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59888- 354300x8000000000000000747407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.885{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56038- 354300x8000000000000000747406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.846{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58065- 354300x8000000000000000747405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.845{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local60699- 354300x8000000000000000747404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.842{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50513- 354300x8000000000000000747403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.828{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50281- 354300x8000000000000000747402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.826{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57724- 354300x8000000000000000747401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.825{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63967- 354300x8000000000000000747400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.825{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58574- 354300x8000000000000000747399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.821{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57679-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.821{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57679-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.818{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57678-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000747396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.818{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57678-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000747395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.811{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56037-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domain 354300x8000000000000000747394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.789{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61864- 354300x8000000000000000747393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.789{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49423- 354300x8000000000000000747392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.319{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x8000000000000000747391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:05.318{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61750- 22542200x8000000000000000747390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.832{A78D3DEB-1A7C-634D-1400-000000008502}1072attackrange.local0type: 2 win-dc-ctus-attack-range-801.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x8000000000000000747389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.828{A78D3DEB-1A89-634D-2D00-000000008502}2672win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;fe80::3425:2c5c:f5ff:fef1;2001:0:34f1:8072:3425:2c5c:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x8000000000000000747388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.818{A78D3DEB-1A7C-634D-1400-000000008502}1072win-dc-ctus-attack-range-801.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 13241300x8000000000000000747387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:07.842{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000055a) 354300x8000000000000000747448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.934{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64911- 354300x8000000000000000747447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.933{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59580- 354300x8000000000000000747446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.932{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62995- 354300x8000000000000000747445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.931{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62236- 354300x8000000000000000747444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.930{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59544- 354300x8000000000000000747443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.928{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49308- 354300x8000000000000000747442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.926{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50136- 354300x8000000000000000747441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.925{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61619- 354300x8000000000000000747440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.924{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60556- 354300x8000000000000000747439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.923{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local61516- 354300x8000000000000000747438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.922{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56092- 354300x8000000000000000747437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:06.921{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local51252- 10341000x8000000000000000747436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:08.340{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:08.340{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000747463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:08.337{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49353- 354300x8000000000000000747462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:07.728{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60227- 13241300x8000000000000000747461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000747460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000747459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000747458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\FlagsDWORD (0x00000002) 13241300x8000000000000000747457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\TtlDWORD (0x000004b0) 13241300x8000000000000000747456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentPriUpdateToIpBinary Data 13241300x8000000000000000747455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentUpdateToIpBinary Data 13241300x8000000000000000747454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\DnsServersBinary Data 13241300x8000000000000000747453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\HostAddrsBinary Data 13241300x8000000000000000747452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\PrimaryDomainNameattackrange.local 13241300x8000000000000000747451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\AdapterDomainName(Empty) 13241300x8000000000000000747450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\Hostnamewin-dc-ctus-attack-range-801 13241300x8000000000000000747449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:09.821{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000517837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:09.736{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000747466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:11.995{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-000MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.822{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50482- 354300x8000000000000000747464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.821{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50850- 23542300x8000000000000000747499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.984{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000747498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000747497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000747496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000747495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\FlagsDWORD (0x00000002) 13241300x8000000000000000747494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\TtlDWORD (0x000004b0) 13241300x8000000000000000747493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentPriUpdateToIpBinary Data 13241300x8000000000000000747492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentUpdateToIpBinary Data 13241300x8000000000000000747491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\DnsServersBinary Data 13241300x8000000000000000747490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\HostAddrsBinary Data 13241300x8000000000000000747489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\PrimaryDomainNameattackrange.local 13241300x8000000000000000747488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\AdapterDomainName(Empty) 13241300x8000000000000000747487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\Hostnamewin-dc-ctus-attack-range-801 13241300x8000000000000000747486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:12.826{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 10341000x8000000000000000747485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.470{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.470{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.469{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.469{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.467{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.466{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.828{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local63927- 354300x8000000000000000747471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.827{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58724- 354300x8000000000000000747470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.827{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57521- 354300x8000000000000000747469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.824{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57680-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.824{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57680-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:09.823{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64421- 354300x8000000000000000747501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.831{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64065- 354300x8000000000000000747500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:12.829{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58641- 10341000x8000000000000000747527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.982{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.980{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.972{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.968{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.962{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.954{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.952{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.949{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.946{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.944{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.944{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.942{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.939{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.913{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.906{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.895{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.891{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.883{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.876{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.872{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.867{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.860{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.854{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.848{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.814{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:16.811{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 354300x8000000000000000747531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:15.574{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000747530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:15.553{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000747529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:17.438{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:17.434{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.991{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.990{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.988{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.987{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.985{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.984{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.983{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 354300x8000000000000000747535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:17.661{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60651- 10341000x8000000000000000747534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.474{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.473{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:19.352{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.717{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.713{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.707{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.703{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.697{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.695{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.690{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.688{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.683{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.674{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.673{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.668{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.663{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.649{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.636{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.634{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.631{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.627{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.610{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.560{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.539{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.523{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.515{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.493{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.485{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.477{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.466{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.454{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.445{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.438{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000517838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.435{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000747553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.639{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.639{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.636{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.636{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.631{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.631{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.631{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.631{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.630{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.628{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.628{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000747561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.866{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6DAA46C06CA9CA8C4C2757E0B6B251,SHA256=9ACF38A8732717E6F623B5C6F0398358263B4E5BAE2FD1DDF4C09DDCD7907562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.835{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D10F99844327E26D743B3EA1E0F80E2,SHA256=1769916FF2F2F4F96D1B949524E7CC0368D705AD86AA991E29A0B7A04B18BB06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000747558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=495E58EDD4CB9641F5D6FC70ACF3233F,SHA256=972C5C7809640372F2437A18C2C12C7867A180AB81CAD61503DDE42A8364E8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=14C95EA51EA8779F96D982EE2B9D8BEF,SHA256=ED65A51E585D672951B545C0BCA8C7E07FFD10A2D44AD68F3CF62A4EAEE6BBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C0263879C8B1D5B91CC46A54D756FA92,SHA256=31B46278B3F39A0531E43E20C9E33187A166EC22B77471828591EE5A0303D0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5CE80DD7FE99EC35F7C955855E6416E,SHA256=51AA56F8B591743C9D30A6C1805DD102C85646BF06A4FC867A2B7E5CE524761E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.626{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27D8FBCC9CDC524150A6BAE012C7A313,SHA256=EA36365046DAC9F39E131DA522E7BC20D30C316BF5C72BE58695B290CE1A46A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:22.897{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:22.897{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000517874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:22.834{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x8000000000000000517873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:22.834{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x8000000000000000517872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:22.772{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000517871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:22.772{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x8000000000000000517870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:22.772{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 22542200x8000000000000000517869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:20.439{5C0BDE06-1A79-634D-1400-000000008502}1028wpad9003-C:\Windows\System32\svchost.exe 354300x8000000000000000747564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.337{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61539- 354300x8000000000000000747563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:20.336{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51568- 23542300x8000000000000000747562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:22.257{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B98558EADA0A58B3D0A576B93C46F92,SHA256=12402A997729D08CC884F859AABD5C74A9CC2E9D3CDB5A84C332A2E355CB07A4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000517879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:23.468{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c11) 10341000x8000000000000000517878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:23.356{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:23.355{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD3-634D-8100-000000008502}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AD3-634D-8100-000000008502}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD3-634D-8100-000000008502}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.851{A78D3DEB-1AD3-634D-8100-000000008502}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.040{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488D31E558A6125A1001B8E41B700A27,SHA256=78252BC59BA5B0B71C3BD6378AB82E7FCCD2DE9C1859121D1935DDDF4F8AB8DD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000517902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:22.773{5C0BDE06-1A79-634D-1500-000000008502}1036win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmsswestus.ipv6.microsoft.com.akadns.net;52.241.128.114;C:\Windows\System32\svchost.exe 10341000x8000000000000000517901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.457{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.457{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.457{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.457{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.457{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.456{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.456{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.455{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.455{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.454{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.454{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.407{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.407{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.407{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.407{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.405{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.405{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.405{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.405{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.401{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 13241300x8000000000000000517880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:05:24.291{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000054d) 10341000x8000000000000000747597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.679{A78D3DEB-1AD4-634D-8200-000000008502}30521980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000747596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:23.204{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49476- 354300x8000000000000000747595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:22.671{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60245- 354300x8000000000000000747594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:21.447{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal9997- 10341000x8000000000000000747593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD4-634D-8200-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AD4-634D-8200-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.507{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD4-634D-8200-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.509{A78D3DEB-1AD4-634D-8200-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.147{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C259F1CAE698A8FF3B4CB7C90DEDCD0,SHA256=F90C7D45C8C6C4EA56D644171BC1FC6B959659E5333428B4B4871DF3362874E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000747579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.132{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x8000000000000000517905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:23.352{5C0BDE06-1A79-634D-1600-000000008502}1220www.msftconnecttest.com0type: 5 ncsi-geo.trafficmanager.net;type: 5 v4ncsi.msedge.net;type: 5 ncsi.4-c-0003.c-msedge.net;type: 5 4-c-0003.c-msedge.net;::ffff:13.107.4.52;C:\Windows\System32\svchost.exe 354300x8000000000000000517904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:23.370{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49704-false13.107.4.52-80http 354300x8000000000000000517903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:22.865{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:24fd:3a16:f5ff:fef0-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000747615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.153{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57688-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.153{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57688-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.129{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000747612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.129{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 10341000x8000000000000000747611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD5-634D-8300-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AD5-634D-8300-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.262{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD5-634D-8300-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.265{A78D3DEB-1AD5-634D-8300-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:25.215{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7575C528FE25090DAED864A2B8A7974E,SHA256=C1C5232E28D4E968BA12E3D78B19FAB196C7A624F50C72B4BB215D993D5CABA3,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000517916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:24.135{5C0BDE06-1A79-634D-1600-000000008502}1220win-host-ctus-attack-range-171460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.584{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.583{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.583{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.583{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.582{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.582{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.582{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.582{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.580{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:26.580{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 354300x8000000000000000747620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.733{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59067- 354300x8000000000000000747619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.733{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65082- 354300x8000000000000000747618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.159{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local3268msft-gc 354300x8000000000000000747617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:24.159{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local3268msft-gc 23542300x8000000000000000747616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:26.296{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D428A58E06AFFCE0EFCBD1505936790,SHA256=C76364C8B2EE7D516D23B81CA2CABA092FAAD66576AB0631A3C2F13735201847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.954{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.954{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.954{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.954{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.952{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.952{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.952{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.952{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.950{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.950{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.859{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.625{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=657E094F0D1993B3DAAF0FE95D4AB169,SHA256=B9CC9FAB32F3CCDE1912E515A6DD55D7F7FB42328F8349712EFEE4C5C9688937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.484{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CB2037C9C932D5AB379AA03A821F62,SHA256=1262ECAE88CD1E8DED524F4024EEF75E083B9E18D942B0C2242A1A0533B73247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.296{A78D3DEB-1AD7-634D-8400-000000008502}10962504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD7-634D-8400-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AD7-634D-8400-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD7-634D-8400-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:27.078{A78D3DEB-1AD7-634D-8400-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.821{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25519FF6DBD10B2805E58252B13B9A9F,SHA256=9EE21345F976D3139C9EF77E2B4486E86CB59C0B0B1E7ED1859C397F0323AEE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.758{A78D3DEB-1AD8-634D-8600-000000008502}27281208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1AD8-634D-8600-000000008502}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.541{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AD8-634D-8600-000000008502}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.539{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1AD8-634D-8600-000000008502}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.540{A78D3DEB-1AD8-634D-8600-000000008502}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000747667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.134{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC227DC4C0C70F4B43CA29ACDBF522AE,SHA256=A32FB7FF2A2151D064196000105A7AB9969A86A9B4A531D6F9F1EE67F6DA24C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.067{A78D3DEB-1AD7-634D-8500-000000008502}26842692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.044{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.042{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.042{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.040{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.040{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.040{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AD7-634D-8500-000000008502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.212{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:29.664{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6667B59ED4A93B50E6B134AE71DC07A1,SHA256=4E73A2A80966C411B8D83FF384B0C90C6FBB4CC0B68E45433EDC94652C8D6689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.752{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC50A1F9185CFEACFA4525FEE003F5E,SHA256=5E4A6A6D2E9A7205759BAEC34901685F54CE518FA174A632DBD04DFD4982F2F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:28.830{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000747697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1ADA-634D-8700-000000008502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1ADA-634D-8700-000000008502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.205{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1ADA-634D-8700-000000008502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:30.206{A78D3DEB-1ADA-634D-8700-000000008502}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000517918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:29.754{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000517917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:29.245{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:31.829{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EBAEA6B6813A55AEB85EA6C2B6F2CC,SHA256=1191125EBBECF3DEEE7187C07DD32CA3CBEAEC05A19496E556AAD1CC535FA6A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000517919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:30.261{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:32.921{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9034D8B44D96FA4238CB43CD611FDC51,SHA256=9E7B6A59CD73DE51BD468BABCBD0C029607442F6C1477AD9315463D46E2A69F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:29.382{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000747704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:32.636{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:34.014{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9724A5594FD408BBFBE11A67C65B80F4,SHA256=7275D7F06227D3649E6E49FC6050186F611A2872DB9F4093886C7AC790A5536E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000517921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:34.503{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000517920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:32.740{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:35.109{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9B3B7D211A033DEE7FCEC5C63184DB,SHA256=818B80367B2D8CBDD98EB48356C24C08A3C0205F0C076A3B93B4841A8BE5B398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.992{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.982{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.967{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.959{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.944{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.927{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.919{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.904{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.893{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.882{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.872{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.810{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.805{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 23542300x8000000000000000747707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:36.195{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EAC04D38CCA22516044C662639C912,SHA256=2B180E078CE19917CDFE5D85FB22CF1175BC5F248C09203F9B03FB622AEEB87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:34.612{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000747736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.630{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AB76E20DD4602943AE77AF27B88D42,SHA256=E5AEB4F1930E38C32A4BC4203C9AFA0B4190828ADE6027EECF59E36FE6940B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.468{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.467{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.116{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.111{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.102{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.096{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.090{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.077{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.075{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.072{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.067{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.065{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.063{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.060{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:37.057{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 23542300x8000000000000000747737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:38.567{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A3F6CB3811533F2D44CB936975C613,SHA256=C12499539EE8528257977331328DB372027CF3F33B23E15DDCE8014BEA27AF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:39.676{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05042642A3A64C05A7BF901566A0A24E,SHA256=E49127430E700F21F68259B0DF8EAA66B7AA62BDC3989AF07DBB8D67EC3FEC82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:39.503{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:39.502{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000517952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.725{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.722{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.715{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.714{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.710{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.709{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.705{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.703{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.701{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.700{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.697{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.690{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.688{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.681{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.658{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.655{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.650{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.648{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.612{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.560{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.535{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.525{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.511{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.497{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.488{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.480{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.469{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.460{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.450{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.439{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000517922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.433{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 23542300x8000000000000000747759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.960{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9BFB0B3D74BB74B2B02F7222E12672A,SHA256=0AEE0A27F4CC9E793248FDD0BDB52FBDE822FFCA53F5125E380EE2FA17F7F41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.757{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DDC41FF1431EB49AF41A094EED63F6,SHA256=FC276F4A46342092FC752E504FAB22D74057310ED7F7E20CA4417E7158EB2486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.301{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.301{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.301{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.301{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.299{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.299{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.299{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.299{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.297{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.297{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.020{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.017{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.013{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.012{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.010{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.008{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 10341000x8000000000000000747741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.007{A78D3DEB-1A89-634D-3000-000000008502}28323504C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480610) 23542300x8000000000000000747775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.844{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AE81E7A286852AF133EA33CF243B7A,SHA256=4DEE934577C650A7A1495E46B7E85E8F5EC21133557FA069DD86031DDEAD601A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.330{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.330{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.328{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.328{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.327{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.327{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.327{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.327{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.326{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.326{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.326{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.322{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.319{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.319{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000747760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:39.033{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.34-31232-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local3389ms-wbt-server 354300x8000000000000000517953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:40.066{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000747915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.881{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.834{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1AE6-634D-8A00-000000008502}23522660C:\Windows\system32\winlogon.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.828{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{A78D3DEB-1AE6-634D-D123-0B0000000000}0xb23d12SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000747893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.819{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.803{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.803{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.788{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.788{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1AE6-634D-8A00-000000008502}2352376C:\Windows\system32\winlogon.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000747871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.772{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a55055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000747870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.756{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.600{A78D3DEB-1AE6-634D-8900-000000008502}1980368C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.533{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.491{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.491{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.490{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.490{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.366{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.366{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.366{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.364{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.364{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.364{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.364{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.364{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.362{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.359{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.359{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.356{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.356{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.354{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.353{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000747832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.335{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7814D85041138710D0AA9B6B49DB40,SHA256=52ED3AF0FD316C0C124BCA26E8A297A06E4D96D43AA09CBAED8B0266BB027E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:40.259{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000747830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000747829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000747828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000747827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000747826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000747825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.219{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000747824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000747823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000747822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000747821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000747820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000747819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:42.203{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x8000000000000000747818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000747805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000747804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000747803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.203{A78D3DEB-1AE6-634D-8800-000000008502}6561172C:\Windows\System32\smss.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000747802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.201{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{A78D3DEB-1AE6-634D-8800-000000008502}656C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000747801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.188{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.188{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.172{A78D3DEB-1AE6-634D-8800-000000008502}6561172C:\Windows\System32\smss.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000747789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.176{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{A78D3DEB-1AE6-634D-8800-000000008502}656C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000747788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1AE6-634D-8800-000000008502}656C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.157{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1AE6-634D-8800-000000008502}656C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000747777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.166{A78D3DEB-1AE6-634D-8800-000000008502}656C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000747776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.110{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A836F32E95CF6CF2EA90B4700A4FE7,SHA256=1B9C0F1AC0870D4BACB34C637958210B8E09B5D799F7B1539DB4111221E2EC78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.925{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE730BC34635F4191C4E8EDAF490F77,SHA256=4C36B599DCADA019D01FF8481F4348C61D27BF03668A19228264EBF7C2D73DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.925{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5058B0B385BC5B9597C6F67D14D95A7,SHA256=735C90BC4DEFFC85C5E6ECA4C3AEA592465DB6765DE6A01B2D532E8876665477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.816{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.816{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.816{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A7C-634D-0F00-000000008502}300892C:\Windows\System32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.769{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.754{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A7C-634D-0F00-000000008502}300892C:\Windows\System32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.739{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.737{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.737{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000747979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.736{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000747978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:43.736{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-e0ea2a21-8a3e-4e79-8618-0e5b229c67c4C:\Windows\System32\svchost.exe 17141700x8000000000000000747977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:43.736{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-e0ea2a21-8a3e-4e79-8618-0e5b229c67c4C:\Windows\System32\svchost.exe 10341000x8000000000000000747976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.736{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.735{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.735{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000747973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.638{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26988693A087EFA8218A1B94EDA7DAC,SHA256=327A29D7619BD68BD5FE5447D10DCBFD6E8A54F2894FF76F24782CA552FD370D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000747972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.622{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000747971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:43.621{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-458af45e-916e-4153-ab7a-0b8cab1cd918C:\Windows\System32\svchost.exe 17141700x8000000000000000747970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:43.621{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-458af45e-916e-4153-ab7a-0b8cab1cd918C:\Windows\System32\svchost.exe 10341000x8000000000000000747969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.606{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.594{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.593{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.592{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.592{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.509{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.509{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.509{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.508{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.508{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.508{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 18141800x8000000000000000747958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:43.507{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-6eaa0c41-c13c-448f-baeb-c61fd9255536C:\Windows\System32\svchost.exe 17141700x8000000000000000747957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:43.507{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-6eaa0c41-c13c-448f-baeb-c61fd9255536C:\Windows\System32\svchost.exe 10341000x8000000000000000747956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.507{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000747955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.507{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000747954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:43.506{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-d2af73a0-e6e1-4259-bc3f-e0eb257044a1C:\Windows\System32\svchost.exe 17141700x8000000000000000747953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:43.506{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-d2af73a0-e6e1-4259-bc3f-e0eb257044a1C:\Windows\System32\svchost.exe 10341000x8000000000000000747952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.505{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.503{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.501{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.499{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.499{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.498{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.498{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.498{A78D3DEB-1A7C-634D-0F00-000000008502}3003132C:\Windows\System32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6a6ed|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.498{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.497{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.495{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.495{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.495{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.494{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.445{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000747925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.443{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000747924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.372{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8A15EBABB675BC14DFE93E5835DBC6,SHA256=960C8C77317C0D54188C61A3F1F3DC78BDDD80914219287EF1E493B773903317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000747923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.368{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96922F0032A8ECBB5E6FCA57B17AFA5A,SHA256=B592E220B2B3C5F946B44CE2011163049BA08E4EC7F24431B2851B200EF24A5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000747922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:41.020{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56703- 10341000x8000000000000000747921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.209{A78D3DEB-1AE6-634D-8B00-000000008502}12002096C:\Windows\system32\LogonUI.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.209{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.209{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.990{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.990{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:42.990{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.981{A78D3DEB-1AE8-634D-9800-000000008502}47604808C:\Windows\system32\conhost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.970{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.970{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.959{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.951{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.951{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.951{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.950{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.950{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.950{A78D3DEB-1AE6-634D-8A00-000000008502}23521204C:\Windows\system32\winlogon.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000748372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.948{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000748371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.945{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.921{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.921{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.921{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.910{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.897{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.897{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.897{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.895{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.895{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.895{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.894{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.894{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.893{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.881{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.879{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.855{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.855{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.854{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.850{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.850{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.841{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000748340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.841{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.819{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.819{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.819{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.811{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.811{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.811{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.792{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.792{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000748331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:44.792{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-d2d71a2e-61aa-4a49-adb9-dd3387af5bc0C:\Windows\System32\svchost.exe 17141700x8000000000000000748330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:44.792{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-d2d71a2e-61aa-4a49-adb9-dd3387af5bc0C:\Windows\System32\svchost.exe 10341000x8000000000000000748329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.762{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.762{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.761{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.761{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.749{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.749{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.749{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.749{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.747{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.747{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000748319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.746{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2BD79704D90758C306F620FBC813B3,SHA256=3B8CD56BE39EB2FB9436DB5E68ED74563CD0773A9E126018B9149350E506EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.714{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.714{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.713{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.712{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.708{A78D3DEB-1A7C-634D-1600-000000008502}12361672C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.708{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.708{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.708{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.703{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.703{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.703{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.701{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.701{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.701{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.699{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.677{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.677{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.675{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.675{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.672{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.672{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.672{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.672{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.669{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.669{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 18141800x8000000000000000748288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:44.666{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-2e5c0748-5dff-4546-a189-ee145087abfdC:\Windows\System32\svchost.exe 17141700x8000000000000000748287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:44.666{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-2e5c0748-5dff-4546-a189-ee145087abfdC:\Windows\System32\svchost.exe 10341000x8000000000000000748286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.664{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9400-000000008502}4436C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.661{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.661{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.661{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.660{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.660{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9400-000000008502}4436C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.660{A78D3DEB-1A7C-634D-1600-000000008502}12361672C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9400-000000008502}4436C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+107e6|c:\windows\system32\UBPM.dll+d3c9|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.657{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.657{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.657{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.657{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.653{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.653{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.653{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.653{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.652{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.652{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.651{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.650{A78D3DEB-1A79-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.649{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.641{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.600{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.600{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x8000000000000000748263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x8000000000000000748262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\FailureActionsBinary Data 13241300x8000000000000000748261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\DisplayNameWindows Push Notifications User Service_c14c1 13241300x8000000000000000748259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\ErrorControlDWORD (0x00000000) 13241300x8000000000000000748257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\StartDWORD (0x00000003) 13241300x8000000000000000748256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_c14c1\TypeDWORD (0x000000e0) 13241300x8000000000000000748255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.597{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x8000000000000000748254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\FailureActionsBinary Data 13241300x8000000000000000748253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\DisplayNameUser Data Access_c14c1 13241300x8000000000000000748251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\ErrorControlDWORD (0x00000000) 13241300x8000000000000000748249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\StartDWORD (0x00000003) 13241300x8000000000000000748248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_c14c1\TypeDWORD (0x000000e0) 13241300x8000000000000000748247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x8000000000000000748246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\FailureActionsBinary Data 13241300x8000000000000000748245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.596{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\DisplayNameUser Data Storage_c14c1 13241300x8000000000000000748243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\ErrorControlDWORD (0x00000000) 13241300x8000000000000000748241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\StartDWORD (0x00000003) 13241300x8000000000000000748240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_c14c1\TypeDWORD (0x000000e0) 13241300x8000000000000000748239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x8000000000000000748238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\FailureActionsBinary Data 13241300x8000000000000000748237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\DisplayNameContact Data_c14c1 13241300x8000000000000000748235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\ErrorControlDWORD (0x00000000) 13241300x8000000000000000748233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\StartDWORD (0x00000003) 13241300x8000000000000000748232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.595{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_c14c1\TypeDWORD (0x000000e0) 13241300x8000000000000000748231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x8000000000000000748230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\FailureActionsBinary Data 13241300x8000000000000000748229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\DisplayNameSync Host_c14c1 13241300x8000000000000000748227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\ErrorControlDWORD (0x00000000) 13241300x8000000000000000748225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\StartDWORD (0x00000002) 13241300x8000000000000000748224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_c14c1\TypeDWORD (0x000000e0) 13241300x8000000000000000748223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x8000000000000000748222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\FailureActionsBinary Data 13241300x8000000000000000748221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.594{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\Security\SecurityBinary Data 13241300x8000000000000000748220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.593{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\DisplayNameCDPUserSvc_c14c1 13241300x8000000000000000748219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.593{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000748218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.593{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\ErrorControlDWORD (0x00000001) 13241300x8000000000000000748217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1031,T1050SetValue2022-10-17 09:05:44.593{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\StartDWORD (0x00000002) 13241300x8000000000000000748216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:44.593{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_c14c1\TypeDWORD (0x000000e0) 10341000x8000000000000000748215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.593{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.592{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.588{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.588{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.588{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.587{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.582{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.540{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.540{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.540{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000748205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:44.540{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-509cc1f6-d1dd-4170-b74f-dcc42d1e5d41C:\Windows\System32\svchost.exe 17141700x8000000000000000748204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:44.540{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-509cc1f6-d1dd-4170-b74f-dcc42d1e5d41C:\Windows\System32\svchost.exe 10341000x8000000000000000748203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.540{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.538{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.538{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.538{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.538{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.537{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.537{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.477{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.476{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.476{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.474{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000748192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.474{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.474{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000748189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.473{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BA56EF13D61CE553135D18A7B506BD,SHA256=89E3CA391683C3601812A4F71822FD977B471779E2D14689311BA08CA6ACA4DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.472{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.469{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.469{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000748182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.466{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E870A533C10B7138A8E0F56917C449F8,SHA256=F9CCCB2E28417C7C65F0C07A08168416A619D93442B7CE6F066C051B41B3B360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.430{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.429{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.429{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.426{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.426{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.426{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.426{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000748174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:44.420{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-863cc4bd-9d22-44a3-9618-9ea30692fcd8C:\Windows\System32\svchost.exe 17141700x8000000000000000748173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:44.420{A78D3DEB-1A7C-634D-0F00-000000008502}300\TSVCPIPE-863cc4bd-9d22-44a3-9618-9ea30692fcd8C:\Windows\System32\svchost.exe 10341000x8000000000000000748172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.398{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.398{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.396{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.396{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.395{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.395{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.394{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.394{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.394{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.394{A78D3DEB-1A7C-634D-0F00-000000008502}300872C:\Windows\System32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 154100x8000000000000000748162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.385{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000748161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.381{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.366{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.365{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.364{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.351{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.350{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.349{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.349{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.349{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.348{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.348{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.348{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000748133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.344{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000748132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.332{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.317{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.286{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94D6C08E02CCC1EFFF395504563DEB0,SHA256=4436D7FC6898F546F53A29A0A5550013B86C0D66D3A9C2E3C77228BD913CF61E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.207{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.207{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.207{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.207{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.207{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.161{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.146{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.146{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.146{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.113{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.050{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.035{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8B00-000000008502}1200C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.019{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.003{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.003{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.003{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.003{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:43.988{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.943{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.909{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.909{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.905{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.905{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.905{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.905{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.905{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.861{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.825{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.787{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.754{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000748592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.754{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.750{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.747{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.721{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.721{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.721{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.720{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.720{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.720{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.713{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.712{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.712{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.712{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.712{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.711{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.710{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.700{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.700{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.700{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.696{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.696{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.696{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.675{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.639{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.614{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB081D26CBEA1337AF00ACC337B5352,SHA256=577035B58716D66490E5555A06DC4239FAD285EB04F7B249D3F34C62808B3EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.610{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.610{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.607{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E78BAA52CE86AC2FD2B196391592DD,SHA256=7E1C04D2D1A66F5847350F2A7F74C68187B69B0ADC2D6C82DDEC09E4A19E68E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.595{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.561{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.522{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.484{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.469{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.469{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.469{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.469{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.468{A78D3DEB-1A89-634D-2500-000000008502}24882560C:\Windows\System32\spoolsv.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b6e3|C:\Windows\System32\spoolsv.exe+1b549|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+3582b|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.453{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.453{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.453{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.427{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.410{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.409{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8E00-000000008502}4272C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE8-634D-8D00-000000008502}4204C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.408{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.407{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.406{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.405{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.404{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.403{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.402{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.401{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.400{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.400{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.369{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.369{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.369{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.368{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.367{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.367{A78D3DEB-1AE8-634D-9500-000000008502}44924496C:\Program Files\Aurora-Agent\aurora-agent-util.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+63df5|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c29770 10341000x8000000000000000748430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.364{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.363{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.358{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.358{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.341{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.336{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.336{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.336{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.335{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.335{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.335{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.332{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000748418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT10532022-10-17 09:05:45.326{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2022-10-04 11:04:02.836 23542300x8000000000000000748417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.318{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.312{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.312{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.296{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.296{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000748412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.249{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57698-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000748411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.249{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57698-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000748410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.243{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57697-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000748409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.243{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57697-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000748408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.238{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57696-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000748407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.238{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57696-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 10341000x8000000000000000748406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.216{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.196{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.196{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.196{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.071{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.071{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.071{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.069{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.069{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.069{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.067{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.042{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.041{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.041{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.041{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.040{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.040{A78D3DEB-1AE8-634D-9700-000000008502}47484752C:\Windows\system32\userinit.exe{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000748384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.980{A78D3DEB-1AE8-634D-9900-000000008502}4800C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x8000000000000000748383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.011{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870284FD89201D598331F226D6574D25,SHA256=325043DC2404D4AF21BAD957933A28C2941B4F094976195B0E803C624D97B503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.999{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.999{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.984{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.984{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.968{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.848{A78D3DEB-1AE9-634D-9A00-000000008502}4876ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.733{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.733{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.718{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.718{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000748633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1AE8-634D-9100-000000008502}43844444C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.702{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+41db1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.624{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.624{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.408{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.408{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.403{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.396{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.396{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.386{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.386{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.382{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.382{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.381{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.381{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.371{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.370{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.145{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DEC1A848DB945149B51D41B6C0724C,SHA256=B971E80B7FCE567662E899BD1B54CE08E0A28599A8013F59A834C33C6798CCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.141{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3F014C21EBE8423376CB256C2AADAA,SHA256=C852B81C1AD569F73635FCF99F582E795A42A10ABBF2398E92AA2E8ADB07A27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.139{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=686B2478499E5C6E142D1521D699E1F1,SHA256=8B3A14AA7F75A37DBE6AA0742397A677E874EB2A79099EEA9DCB8CE3FDC8070F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.098{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.098{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.098{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.097{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.097{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.097{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 354300x8000000000000000517956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:46.068{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000517955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:47.315{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:47.315{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.994{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.992{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.992{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.992{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.991{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.991{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.990{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.964{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.964{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.962{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.919{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.918{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.791{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.776{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.776{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.737{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA8B7516ABC12EA6DE54106A043FE2D,SHA256=92B6AD62AE15E332EEB368B7B472BECDDFC35BCAB45844FBB8B25932417920A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.730{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.730{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.730{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.623{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.623{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.613{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.613{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.611{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.611{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000748759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.599{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76D15F7A53CDADA81C752B53C15D4D4,SHA256=EAED0AC56BBEEBB328F95FFB1F513D562DA8DA047871941C229C38B9C5E20D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.579{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.579{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.578{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.536{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.536{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.535{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000748752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.463{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D744B3F13E2E95ECA5F2E0DB660BB5B6,SHA256=0C4D2612534E4C3C0CE513B6B04A55698ADB64052ED467AAC8D047222FC89560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.440{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.440{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.439{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD85326C8D82F22820F1670CAF45C02,SHA256=3999582EF7D00E4DC756195788733C29A80137D45C562A0512EDE2847226DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.436{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.436{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x8000000000000000748746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.434{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E44D437B3493597AD33F067F281987,SHA256=99375F0A7EB11C2815B24CED752E3E2B61E68A09549B101041D860F8F262E848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.363{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.363{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.347{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.331{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.331{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.331{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.331{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48762240C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000748736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.316{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 354300x8000000000000000748719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:44.381{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60673- 10341000x8000000000000000748718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.285{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000748698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.220{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+41db1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+be725|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000748690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+be725|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000748689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.205{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000748687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.506{A78D3DEB-1A89-634D-2500-000000008502}2488WIN-DC-CTUS-ATT9701-C:\Windows\System32\spoolsv.exe 22542200x8000000000000000748686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:45.212{A78D3DEB-1A89-634D-2500-000000008502}2488WIN-DC-CTUS-ATT0::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x8000000000000000748685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.059{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.059{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.058{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.058{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000748681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:47.057{A78D3DEB-1AEA-634D-9B00-000000008502}2248\TDLN-2248-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x8000000000000000748680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:47.057{A78D3DEB-1A89-634D-2C00-000000008502}2664\TDLN-2248-41C:\Windows\system32\svchost.exe 10341000x8000000000000000748679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.056{A78D3DEB-1A89-634D-2C00-000000008502}26642032C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.056{A78D3DEB-1A89-634D-2C00-000000008502}26642032C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000748677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.055{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.055{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.052{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.043{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.043{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.041{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.041{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.036{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.035{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.035{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.035{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.026{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.025{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.023{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.023{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.022{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.022{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.022{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.022{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.021{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.021{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.017{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.017{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.017{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.001{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.001{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.001{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.000{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.000{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.000{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:47.000{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.458{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.457{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.458{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.457{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.457{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.456{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.455{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.454{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.454{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.452{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.452{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.452{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.452{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.429{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=57DC80EB54D92FFB4F7C651FB4FF5B10,SHA256=C716DEBC35E00D5E4E337621616ECE5C792558D42C3D6134A011C3651AE0F7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.383{A78D3DEB-1A73-634D-0100-000000008502}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTaurora-agent-kernel-session.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000748820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.318{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000748819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.273{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57699-false82.165.105.236update-201.nextron-systems.com443https 354300x8000000000000000748818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.242{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000748817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.126{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50602- 23542300x8000000000000000748816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.299{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884764E5AAA90D401CAACCACC94CA2DE,SHA256=73DE6C6CC5DB673627D61435FE5A940BFA8A0E22B01081A3ACA6FDDD3A58D324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.251{A78D3DEB-1A7C-634D-1200-000000008502}4481580C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.233{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.225{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.225{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.224{A78D3DEB-1AE8-634D-9100-000000008502}43844448C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.224{A78D3DEB-1AE8-634D-9100-000000008502}43844448C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000748809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.203{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.203{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.165{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000748806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.165{A78D3DEB-1AE8-634D-9000-000000008502}43404364C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000748805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.165{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.161{A78D3DEB-1AE9-634D-9A00-000000008502}4876860C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.161{A78D3DEB-1AE9-634D-9A00-000000008502}4876860C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.160{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.160{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.145{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.141{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.141{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.124{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB550810510E8B2464B69B42E3073527,SHA256=CA9CA2FFB2E307F142FDEE3956BCE772CE85775B8BE3B00C6EA1C9D7B4E94237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.084{A78D3DEB-1A73-634D-0100-000000008502}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTaurora-agent-session.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000748794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.028{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.028{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000748790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.028{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.028{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000748788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.028{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000748787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.011{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.011{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:48.011{A78D3DEB-1A89-634D-3000-000000008502}28323484C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000748871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.690{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.688{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.688{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.688{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.687{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.687{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.687{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.680{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.677{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.507{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB5DEE43F51EABE50C22A86A9C86211,SHA256=ACF4B450DBFA8F8ACBB8D609E0A916681351DCBCED1CDCF0A5B470BCEB5E269D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.261{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.261{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.257{A78D3DEB-1A89-634D-2C00-000000008502}26644720C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10822|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.257{A78D3DEB-1A89-634D-2C00-000000008502}26644720C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10822|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 18141800x8000000000000000748856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:05:49.257{A78D3DEB-1AE9-634D-9A00-000000008502}4876\TDLN-4876-41C:\Windows\Explorer.EXE 17141700x8000000000000000748855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:49.257{A78D3DEB-1A89-634D-2C00-000000008502}2664\TDLN-4876-41C:\Windows\system32\svchost.exe 10341000x8000000000000000748854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.257{A78D3DEB-1A89-634D-2C00-000000008502}26644720C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000748853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.257{A78D3DEB-1A89-634D-2C00-000000008502}26644720C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000748852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.256{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.256{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.254{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.254{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.253{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.253{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.253{A78D3DEB-1AE9-634D-9A00-000000008502}48763916C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000748845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.252{A78D3DEB-1AE9-634D-9A00-000000008502}48763916C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000748844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.252{A78D3DEB-1AE9-634D-9A00-000000008502}48764664C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000748843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.252{A78D3DEB-1AE9-634D-9A00-000000008502}48764664C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000748842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.251{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.251{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.248{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.248{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.123{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.123{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000748836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:46.156{A78D3DEB-1AE8-634D-9500-000000008502}4492update-lite.nextron-systems.com0::ffff:82.165.105.236;::ffff:207.244.242.102;C:\Program Files\Aurora-Agent\aurora-agent-util.exe 23542300x8000000000000000748872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:50.566{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D6D8B561700DAC9581F60B3A7B949D,SHA256=24C7033A30C17C573314373213D3AF1F84CE577265944EC02F03D5628C8992AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.996{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_malware_verclsid_shellcode.yml.tmpMD5=6E1E46DC9DE26C1342D3640FBD23779C,SHA256=085B4B0DDF2AF519FB55E8EC2568237E560FBF82DB74B700815F43E8ADDD0A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.994{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_svchost_cred_dump.yml.tmpMD5=F0F53AEBCE931A124E3E985C2CFFAF0A,SHA256=AE72853408E7E0011C0361AFF61B9779F2073ABD98960AAE0DC0C3B043CAA986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.991{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--process_access_win_susp_seclogon.yml.tmpMD5=EFEDFB26605F94E9658238221C1E7819,SHA256=FE5FE2CAB999C14CB5BB9BB42F271E6ACFBCB9ADC1989F2B52E53E6DB1C68E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.989{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_uac_bypass_wow64_logger.yml.tmpMD5=FE7527854DDF5C71A84C639453232A76,SHA256=794F9678BB98159F1218FA30FE9D2AFA0E142BBCAB0F39F323BE7C6B623F356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.986{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uipromptforcreds_dlls.yml.tmpMD5=A5D7BB0F7414A0463817A19F99A5D5CA,SHA256=768EFFF929E9A2E82852FE1DA809EB20669A6A44116EE7BCB3635CD37A626056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.984{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_advapi32_dll.yml.tmpMD5=AB06D986C6E8E49342B23B9D20936441,SHA256=D7BFB396D74A919F9332B48B59B76B670B3D6D68C501D5EA31FD72BA595FFB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.981{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_fax_dll.yml.tmpMD5=00DC494A05FB6299364FB8EED9CC8B8F,SHA256=348637716E7FF12B1F9CB070A92DBD3CFFB1E9676320A966CE2DE48F30E27092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.978{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_uncommon_image_load.yml.tmpMD5=7EBF6C4A935F57A6BF7BB5F16C8884E4,SHA256=92864CBDFD51514F7FABE207B6A5F473213B0AC58935C248AD914CF5510E8814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.975{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_silenttrinity_stage_use.yml.tmpMD5=C753569415D655744184D3498D5F4F8B,SHA256=A90AB884CF6F5D4D20063B0CDDDF5200D7AAA9D9C99ACB2CEDB17FC6069E4EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.974{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_msdt_sdiageng.yml.tmpMD5=302BBDB5104D7D37EAF74651F26DFB11,SHA256=5EE380F0E8D6A2C2FFF03F14B3C6DA9CDAE8185BE5DC60E2D6F926860EABC866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.971{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_in_memory_powershell.yml.tmpMD5=FB46B57A02EC5D655F78BEC2335C860A,SHA256=DC076201DEA8CF315DB036F971A1F8F46C6A8AA82F011E5174B7F2A91645C5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.968{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_sysmon_disable_sharpevtmute.yml.tmpMD5=5702FC31F5801955696C50E4AF390C7B,SHA256=F3769CD06BF8C8C8AEA644490E8A662DB2689C9B20159A0C0B6C0D10A1DF7E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.965{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_mimikatz_inmemory_detection.yml.tmpMD5=3A8AB45FEE75028983EE3C12EEF6C9EA,SHA256=45F4ACAB37980F5D0EDCFCB548DF71FBA0CBB1324A18A05F333AAB5A0B6AC86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.963{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_winword_vbadll_load.yml.tmpMD5=558D596B2D7F903F2F5E43B6C41A628D,SHA256=0F97903B8417999A48678470BE6C85DE840905BED8694F10570943D2B6BEDAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.958{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_vss_ps_load.yml.tmpMD5=1CAC9EF0ECFA5B13EBFC4FD474D5529D,SHA256=4C7238D55E95A7F16C99A249A7321134B51CEBD5533913EAD0183DFB3C87BD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.955{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_script_dotnet_clr_dll_load.yml.tmpMD5=C4232FB0036C2A1CBF840B0A24453A28,SHA256=4775D18EB5CB7130BAEC5460B7FF9D7ED5CB0109B43CDEF851882435CC48DACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.953{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_antivirus.yml.tmpMD5=B0A79DC5CB22882A610ED150989201D2,SHA256=972B7D20F99F14146B6885470F90915668F1317138AD8833509BCD62BE46BB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.951{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_office_dlls.yml.tmpMD5=65ECCB07F8E0F5DD45D2CA7159FF8996,SHA256=1544855C90D38A08E6F5726512E6AAF705D356F6BADA2DE81D47BDF9FCC50053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.949{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_pingback_backdoor.yml.tmpMD5=B264198B8FA7050EFB51B82A372FBA40,SHA256=9AEFFBA6C22B820910D79A52A8FCCB4E1BACFF8D511F65CD15A323A0BE61130A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.947{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_scrcons_imageload_wmi_scripteventconsumer.yml.tmpMD5=453CD44633AC29C05EE691823C284DE2,SHA256=4DF77B4878F9DE74A893458B8AB421284BB26B67E46E005C6744656E06FB1842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.944{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wsman_provider_image_load.yml.tmpMD5=4A1E962AAF552DE414BE0E614595A6B7,SHA256=2A5D23B29707C0B49580139D8C029526E0F7D5E273513ABCBDB659AC40E4F807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.941{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmi_persistence_commandline_event_consumer.yml.tmpMD5=5616ED5642A2F6C24104667EE7DF7269,SHA256=0139709EEFAF526B0ADF80B60DFAF76874FE33383C68EAAA0D5A035D05C7CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.934{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_kerberos_dll_load.yml.tmpMD5=9AA528019BA1269C2FFCDD5B01350463,SHA256=A2187ED21E9D8F444DB7CC8107C9090D590BF986E058705EBD8B8844EB6C2189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.930{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_dll_load_system_process.yml.tmpMD5=486B13C8B91B46B82A7E5F9853002DF8,SHA256=12A1035A2DAB576E3C5D87C8F6C1169DE5263EA2CFB99FFB684B29CFCBC12E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.929{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_system_drawing_load.yml.tmpMD5=F55D69E3A5533D037F6D59E21C9416A4,SHA256=73875DF957374086ED07877C70C6B2B2F045E884FB73DFE35EE8F752185E75D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.927{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_web_browsers.yml.tmpMD5=2B31C3B6D91B7BDA6C95D924028EC535,SHA256=ED980C272E3F7963BE84DEA4DE9F8FD41B5304377F27C746D2B8F7D4EE2D313C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.923{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=CFD5FE24618FF4EC19C62310C11373B3,SHA256=20239A1EE8AAA7891937B3F74EDF5957D6354DF9AE5566BE3D51A29F1F604A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.921{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_foggyweb_nobelium.yml.tmpMD5=89664C96494115B5EBF3401DD429DDE5,SHA256=1FE0B834609F42EA4DD51442DB097E4AE32AFADE962551763E3B44FBDC9F7B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.918{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_spoolsv_dll_load.yml.tmpMD5=598D6017D8FA4009B070F9BC7B85F970,SHA256=0512635D962AFABA2F814377ACF241CEA4DFBBD43D3080293028BBBA82DAD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.916{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_third_party.yml.tmpMD5=2FF0F2E0F22AEC24FF7BB3AE1C9184C9,SHA256=165978D71845C55ED728FF162041A36C30E2CE9B19743CCA0BF8E25F382EC0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.913{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_gac_dll_load.yml.tmpMD5=9544D26F4A5A1E3BB44423235C86957E,SHA256=8FC8E9FAC0DD82BADD3904D744580E61CAF94776407ECFF171C3F96AC5BA375D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.911{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_dbghelp_dbgcore_load.yml.tmpMD5=6BF5522F91458181BA986AA8F7F60DF5,SHA256=FDD26F07576941E67E14C4196CD4CB91E2E7593998B94D8633C5502C9B913451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.908{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_rundll32_loading_renamed_comsvcs.yml.tmpMD5=17ABECE72C577BA5AA6613602A95BE89,SHA256=D5A4BB34AD491E9BD65F987FEF39818DE89B5A008EF362CCE61CBC519A43C8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.906{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uac_bypass_iscsicpl.yml.tmpMD5=8024A3E589CB7DAFD3E23F11A2455873,SHA256=4C79433BCEBC335D64725931E23310478572871FA9D9A49D91806AAC925BA20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.901{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmi_module_load.yml.tmpMD5=C28C78513D436FF49863406645357C64,SHA256=9F5FC1E7B78A15D06C6DA1E66C144404476687D605A55DC9313DFDAEEBAEBEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.899{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uac_bypass_via_dism.yml.tmpMD5=BACEB854A8C56F78B056F680B0E39E87,SHA256=984E37E4E7BA99D5362705FE61805A61FA657580F9890173C6801E0299D48DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.896{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_vmware_xfer_load_dll_from_nondefault_path.yml.tmpMD5=DF3C66602DCA8CA769901845BAC45CCF,SHA256=367D6158EF82B23DA2FE45FE6C02285CB35B9FA36794D32B1742F6E0BB4610C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.892{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_tttracer_mod_load.yml.tmpMD5=2E34F29F32B1B971FB0F577905761ACC,SHA256=F6B443E6627E7CBBB0D9EB3616CE164C855F289F524F93654FC105B7DCABE07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.889{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_clr_dll_load.yml.tmpMD5=3279AA00FFE7C0F0FCA4744BE17361C2,SHA256=835333E25964F750C3C654E58A1F200FA2C2C1206349BC995CAF35025BD74AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.883{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_alternate_powershell_hosts_moduleload.yml.tmpMD5=DB6F18AF010E0613E7A8D861F3DB6EF0,SHA256=73425306DED0B8F78E4391AB6C20BB6792B83BADC587BD3E328CF74146B2DA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.879{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_from_non_system_location.yml.tmpMD5=4336C731C163002F3436993923246EBC,SHA256=62B465DBE487C35A9B9C214905FCB3885BD89738F39C9F83323694CC48B1DEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.874{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_python_image_load.yml.tmpMD5=F46C5CAC6DCAEFBC70C952A139F56EB9,SHA256=3012B5D9F30C5F19D83E669D6840FD0DD769EE3EE0862F8182BEEA2E1C3D2587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.871{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmic_remote_xsl_scripting_dlls.yml.tmpMD5=1725FF334C8D3987D0EA6A6D9A3B4158,SHA256=EB15B59038DC3BE0951602005DA93164DCE742FF134C6836C00DC29E762D50C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.868{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_defender_load_dll_from_nondefault_path.yml.tmpMD5=932F3CFFC54C6506959567182A1AA9D0,SHA256=B9D212E5A8B0AFDED7AB8F6F776A1430B0A8D98055C9AD2743531E229CDC8224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.857{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_assembly_dll_load.yml.tmpMD5=89AF9312377CB64BF26A8E38ED035E56,SHA256=FBDA45DA432E0D32F0ECD1BEA9716BC20E38A1EB05D127A78D230DC2630D8ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.855{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_pcre_net_load.yml.tmpMD5=B74D29AAE8AE9B83410DC0BF70553C08,SHA256=5E148C0441EBEFE28C73871687B35C355F6A25EB26772450FDAA2B568E60E6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.848{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_abusing_azure_browser_sso.yml.tmpMD5=5306DB7ED12FC21D567DA78B01569EE7,SHA256=8024162C81797547805B369A9C72DF5C8BB63DD23F4D994807191AD733FE4A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.844{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_cmstp.yml.tmpMD5=225E94F8ABE21616FE4D8E0488A828CA,SHA256=998AEB7D57A1EB1719876C8ED3FDF6AFE70239B2D1B657362E612BF5A2B22574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.841{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dsparse_dll_load.yml.tmpMD5=340F9CC109B69A18012A6A6D6372DE7B,SHA256=B8FCBDB191CE5D0FC6F6883590C064371491FA127AA96088250AE20363D59308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.836{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_usp_svchost_clfsw32.yml.tmpMD5=E41C8AF7CBE8411A2BA7922A185037F9,SHA256=2324062213F5FDE4A3B94A2AB23D653C89B74A8982CB5D05C843E312FC783606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.833{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_svchost_dll_search_order_hijack.yml.tmpMD5=227218EE9C0EF46F13B512EA49CC87F8,SHA256=DC11BC445EAD601DFFD99EF6F7926BB34869AEDBCFC51C1A614E418786469F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.829{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_unsigned_image_loaded_into_lsass.yml.tmpMD5=BA7EBDEE17D14D57D71F5E46BE5AF731,SHA256=F80C34416C14272F7C47DB6E2430D33F745758078D1F9DC9F92E0722C78FCE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.826{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\raw_access_thread\orig--sysmon_raw_disk_access_using_illegitimate_tools.yml.tmpMD5=A9D598EA58ACD0893E9D4D91B6A143C0,SHA256=2777828491787C81AE8DEB5DB0AAF7153BA5C15D16FAEE1DEB3D389D45118616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.823{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigrev.tmpMD5=2A2A9F72AA79AE1D6652173AF9FF3680,SHA256=5FC24088FF529FED5CA6A9A9A8FA6A32BC12A97461745FF68783F0CBB6B0F197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.815{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--changes.log.tmpMD5=A656D8E9A911E577FC117726336FBAE2,SHA256=0D4A65820E8DD5A28B4E867B00ABD8447D0842BA17790930B66DAD4E7E1859F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.811{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigma-rules.sigs.tmpMD5=E5AF87927068FF6A15345D8F805AF9F9,SHA256=EBBCBE364FBD506996E4669AA69254739317BC5F219C4E18ED7005B9AFC49388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.793{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--c2-iocs.dat.tmpMD5=C140210C9F9EB45EE45B6860DF81E7B6,SHA256=91757D375091E5B6DB0ED76D3D4A7C7086B73537F23D2B6B639E9D4A60CFB41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.791{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--keywords.dat.tmpMD5=AA1A735325A2E0227503127D7659D6F0,SHA256=94DB578693B394D585505C921F4622968EF6299D439489B76055889FA1B1AFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.788{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--filename-iocs.dat.tmpMD5=51BB6E2A39D2E01B11F1E062ADD98FD1,SHA256=055E894485962D15C4258ED3D2744B80773E23D6665D2E7711EA74E9FF43A768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.784{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--otx-hash-iocs.dat.tmpMD5=CA85B52F8F7571DAFF5F0B84838F94C5,SHA256=90BE216E74C9D70C4A16705C4E76BAE72E6E804BCB36321FB92AF350F6B07CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.765{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--hash-iocs.dat.tmpMD5=5AF1C9FCFF25DC1ABA1A4E6906B5C73E,SHA256=4401EEA728DC0C3004D42E5CB506958FEF9616E0935ABB33A0871B9FE852678A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.761{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--falsepositive-hashes.dat.tmpMD5=9E432967541764233356CE2510D6BDC4,SHA256=74E773D59611941674464489E185209F1A35860F59DA4468CCA2FF0CB7729E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.627{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.627{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000748880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.582{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63358067398FA061D28CCC3B0EC665D,SHA256=669477698667F6FAEB34EA7F7FA6F450AE93B51BFE292B60A89A6A3A185CF385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.576{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.576{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.564{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.477{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.420{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000748874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.420{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000748873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:49.235{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.132.156.201-59026-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local3389ms-wbt-server 23542300x8000000000000000749268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.998{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_powershell.yml.tmpMD5=1C757F8DBC376EADB698AE58D896387E,SHA256=9FC9DEBF5910AF9CF11D222973415D9A3ACDF6F81E501FFA84FF875189B51DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.997{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_delete_services.yml.tmpMD5=848D6A0DCE0B84C544499F3DBDECD432,SHA256=5443C3054A10CA975DAC36D417612F6745C1A6F99E476D33B7EBED9C40BB2261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.995{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_dtrack.yml.tmpMD5=87D1AE41576C76D9AAFF969A083F85CC,SHA256=B4204DD85C1324C02AC3061DA378B42C75F4B3B46DD3E35D9A59FE05EA1DC9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.990{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_mpcmdrun_download.yml.tmpMD5=E1AB7DCA035307C7CF2825C57C8A6C69,SHA256=35DDCAB813B4E26C6C590A452CB4C4359A82BE7F7227B29FB3A980921878F480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.988{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_install_reg_debugger_backdoor.yml.tmpMD5=17E2CBA60AFDF84B03B2249D303ACFAA,SHA256=86F450D4D59D36673B07724F34E4612FE7C38E670F503061ADAF52E6F87A75C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.986{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_loader.yml.tmpMD5=9F928813B2B40D5BD26377FC29893A40,SHA256=47F2437F2B8C26A2E4F949E9E8375AA8D6DBC2740891F927C8D704512D4F7FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.984{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_spoolsv_child_processes.yml.tmpMD5=A6553AEBC159754D7DA54053FA4A08DD,SHA256=A8C9B258B32E20029A0952AFACF1E10A617DB838F62ED0C433A0F45037A98BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.982{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_fireball.yml.tmpMD5=637FA42B22860C1D794E7E3A005956F6,SHA256=F710333AED260DDBDF27CD7A71C1263B8CCDC66482541EF5A5ED5E9C893306FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.980{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_user32_dll.yml.tmpMD5=30F60799C274B5B3610B4E49B4AD3A97,SHA256=AF1EBD176F30F4C6209D4B41D7F50AD10B4E150F05DDA55D7B918AC67FFC1E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.979{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_netsupport_rat.yml.tmpMD5=3F699FB54CBDA5F28CD9DE7FE60EAE0C,SHA256=2F77498353687636070FE5DB4F908745F1D80660F0ABF6734E87C3795B3861F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.976{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_fodhelper.yml.tmpMD5=ACC7467ACB5EAB6FEE88D9EF37B78575,SHA256=51ED6CC3087267F0B453DFDAD2D9FDE87A9E682BA5C2837052B394009D2658CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.975{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ping_hex_ip.yml.tmpMD5=CABD798C378BB8E3D63810163C7C4AF0,SHA256=CF83C138A4120C316B2D32EBA23CF173F9FCBBAD96695BA52F595352E52E71B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.974{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bypass_squiblytwo.yml.tmpMD5=C43E3BAF0CA71CD3B411755A7992DD5B,SHA256=2BF229E6EFDEC13CD6E0EE9D60FF97FD64C800708BBF4E4D293AA7B96BC8A80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.973{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_binary_highly_relevant.yml.tmpMD5=ECEC04774C7465C1E5F67DA4A1DC0AF6,SHA256=39430AD8F66E3EFC30F9667CCCF136787A25BF9070C6922D38D987E4D6C2F5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.971{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ultravnc.yml.tmpMD5=425FEECA89BC6212DDF677F96C61F735,SHA256=01F14E4C78756879D513DE4472BFBDA9735A2BCEE60A9D5C93745F36CEDA57F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.969{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_whoami.yml.tmpMD5=D07466272F5AAD6D17735D8B61FB62F2,SHA256=762F92F520904AA6434F8B4A977213D7B5B8235FE22CA2F6FF23434D15D969EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.965{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntdll_type_redirect.yml.tmpMD5=52ACF447C2102EA86EF9AB1126843130,SHA256=FEB5523DA6EE52B49AAB5508F3BAE13D967D5BC3975F90FC2D3ADCB2EC1F7EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.963{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_automated_collection.yml.tmpMD5=D448DBBBF742E48C85C57898FE246F3E,SHA256=71694F6C66C4F7693F452F70DC283A33DD1D8C7531010C65A2B98B82C24363A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.961{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pester_parent.yml.tmpMD5=4611A77E66B34BCEECEE2A0B9752673F,SHA256=E8193479C6F01549FD5B8BE0174293E67B0029ADDA06A2A635E94849DF06E7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.959{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_infdefaultinstall.yml.tmpMD5=8A0D52A3339CFCDCFF79003A44501987,SHA256=CBC80D1FE746AFFCD7418DEE01343BE6414EE7C10194E65E51A0F464CD12FA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.957{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uninstall_crowdstrike_falcon.yml.tmpMD5=07C8F792FFD3E47BFFD02F430C506A6E,SHA256=F66F27240C7A4D673778A3BF50E0897527CC3A70A3126938CBD1EE468CB1027C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.954{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_recon.yml.tmpMD5=6D2FCA91CDB95808136516C5D5019487,SHA256=A1B1777DA1D032D5CE4D4A9CDCA89EE9CCB5967D220143D98004D1CC2F31A21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.952{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_clip.yml.tmpMD5=34B188EE9383C3491C9D85FDEE5CA146,SHA256=5233429F6577277E71BD5E640471531BFA11674CBD44B0679C89DE65FFF6A534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.949{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_parent_of_conhost.yml.tmpMD5=2161AF0E23B09C802339F253968A29EE,SHA256=AD74532695D6B0F095A97E05948E4B0662E4049DE7691D1ABAF44D5C5C7C4042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.947{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml.tmpMD5=E15E0518A1DD7ED2C4FF0FD213EB2830,SHA256=30C2B8C412869BBF8C47D0C7EF3625A3285F654AE6E79D60DB4053CEA80C8127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.946{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_susp_folder.yml.tmpMD5=2A2816040FD0C33A7408EA8E6B09B697,SHA256=36446D7CA78D62CA0A38AA4AFEF137FC876E45F9DC23ECC54F42EEEC064EC13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.944{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer_break_proctree.yml.tmpMD5=739D7B7FEF88689199DEF9F92CFC0465,SHA256=07EE2AF8A943FADD5FB173DF2AED4FD328A9492B39D2A2A110AD1E36261FC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.941{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_activity.yml.tmpMD5=63B5A919B4BD738FED78A1777CE152E8,SHA256=4FB38CF511B4BCA23A3A53AAC2BF5C7D45B983490A3985BE189962B45905F470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.938{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_defender_exclusion.yml.tmpMD5=6BA4DD43897E3D0B82D74ABD6ADC872E,SHA256=9898C5F77672DAC37EB0131E2E1B730B2FEF5E8B5C97512C9A1BFED56EEB365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.935{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtask_creation.yml.tmpMD5=6441C0C4D6267489190FEA14A67E945C,SHA256=3AE9FC8A1B60B285DA7930FF285E621B1381F7A3AA08BE7BBBC4E3CD8AAC9F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.932{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_powershell_script_from_input_stream.yml.tmpMD5=C92192F019CCA9789A1D7CCAFC075CD6,SHA256=5BC7EA8449E183A7086E1A359712EA39F871E6DAC199E9E889DEF180F23AB572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.930{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dumpstack_log_evasion.yml.tmpMD5=DD5668D8337C9F96AECC6F63961998E8,SHA256=B57CD22D4DD86C8F269DDEB2F85A5CD8ADD8CB52851435BDCF006268D9CB043D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.926{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_direct_asep_reg_keys_modification.yml.tmpMD5=0DB03FCBDD8F3F8539A0DFB2B191ADF3,SHA256=22D5240F81212BCC0DA1073B4CF405BB1312674439B473449435D381AA9E2A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.925{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_del.yml.tmpMD5=D7B5465CF4D06D054D3BD5F340D56D77,SHA256=DD395103106D68410D2903481913D0778090AB895A89D2D583C29BDB7E6E871D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.923{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_exec_from_env_folder.yml.tmpMD5=4638D2C9720316EDF353F7A785ED15C6,SHA256=6B5CCFE6A96C2EFAB1021C1E170A4195387DF5FF0094E871D5E19B5FC284A046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.920{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexex_paexec_escalate_system.yml.tmpMD5=4D92D8C4B31695BD3D62CC96550117B7,SHA256=E7065F086AD3440D3F29D607FBCCB12A89EB0A65635E3F032F7BF8BDEE374218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.919{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_empiremonkey.yml.tmpMD5=8A7C063A388FCEC8EAA1CC72304B8388,SHA256=618F7E673FE061319E1EEC96B3A5BD45CBE0400408FC610A5A1B46B74FDFDB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.916{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_as_priv_user.yml.tmpMD5=22BDA65F5E8CE75DAE2FD91AE8077F0E,SHA256=B605C1464DD5C17826B05936E70A4A1F94713F2DE82F08D328E9CFCE7542F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.915{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_reversed_strings.yml.tmpMD5=972B6ED267CCDD1BEB034D3C2242ED47,SHA256=C9FEDF722456E3D85A839B5640AC72B78A1EEC2246CFAE38BBEEDD19CAC99B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.912{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_get_clipboard.yml.tmpMD5=8E501DBE3B7706469E43E4C1FAEA598B,SHA256=F79708014DEC4D4BDE0AEB7F4F5AE33ED37A68832A93560C8FD47F04C0F0861D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.911{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_enable_rdp.yml.tmpMD5=EFD033D3359944ACDA46EEC57D26FE9A,SHA256=3BD3A35F9A5E64B30FFD69C2AD3A4C36334A5B06BF88A229C3D83B2E4210C2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.909{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_trickbot_recon_activity.yml.tmpMD5=3E34F45A291B5434487EDB3019ABCE5B,SHA256=F524B0EAB772311AE4BEE6E556BF11D82CF0E2916628FFC90CB801AA548A44C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.907{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_createdump.yml.tmpMD5=929EDA79FA74699EDD447D1D3A8F57A4,SHA256=975090FF3759215489ED6E1F2E5A1FEAD1DEED6780675674D4D3334D5387E8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.901{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_abusing_windows_telemetry_for_persistence.yml.tmpMD5=E76A952ECB7FBF3DF77E1BA75A17A2AD,SHA256=094C661FAA5A658305809D2F5D7006673789C6CB0CE90D4C8DE6712930FB143B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.900{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_comrat_may20.yml.tmpMD5=B27698D28E5A266C0DA09AC9A7D4A778,SHA256=047089B03AC80DD758E04CFDFB8C8D44F69754E10C9A4B7294F94204B84F60F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.898{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_screenconnect_access.yml.tmpMD5=EE7C69C0E6331A814E529519FD4F6655,SHA256=6F2B8DF1D1A8D1BC073C153CE9264EA1CFBF65285DEA6F5E61939ADCC28F307B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.896{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_http_appdata.yml.tmpMD5=F837FD97685BF761447BCF231CE1BFD3,SHA256=59A284C8C5249156AA953D21BD04126DE9C7FD112602CFA93A604133317CF0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.894{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_port_fwd.yml.tmpMD5=84C90E03B1B71429EBD4AFF0C3D60220,SHA256=80C2ADF07A44C90D137622F69C657257FB7258681A5135D2FE6B0554CFD046ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.888{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_var.yml.tmpMD5=132CBAEF16D346487C92AA6AFE53B7CE,SHA256=81B291B67EEDE23AA55EC7882AF57679E8DC32A4A6F23FE9F0713034800EE2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.884{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dirlister.yml.tmpMD5=94FAC1DD032F1E9D61FD1781EC7A1B2C,SHA256=96BCA9ACFE41868D41B74E9E2CBA2A6A831A1F12FDC1A653F5661BE05732871C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.883{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_defender_tampering.yml.tmpMD5=9771DFBFB9797140DD24C5B31292FF70,SHA256=C5DEB0564E0D7248B7F7B204254B4D450D17AA974EB9D4CB1C03BC031C498B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.878{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sus_auditpol_usage.yml.tmpMD5=7854EF2FFACCC511040FA108835B4577,SHA256=AC21EE667E9662F2A9BB67904CF711829DC1C7C7AD1EE2BC5BE27CFB229AC12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.873{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_firewall_disabled_via_powershell.yml.tmpMD5=BFA31ACFE1AE5C4C35AA42B055C60CB7,SHA256=840992C452FC87B927DFB9B4257503C143149CB42C07A62E72A968858A31A576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.871{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_verclsid_runs_com.yml.tmpMD5=60361648B43880C09346AC529562A1C4,SHA256=C674C8F2E6EEC225243075A845DCE452DA1FE6AE197B2E70E65A425CEFF935EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.870{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml.tmpMD5=6611FC9F77A98F63C44552D9537D71B7,SHA256=431FE01BEBE173FB4B649D5A8FBF2271273F1869102063A78F53079AE4F52C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.868{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysnative.yml.tmpMD5=829C384752F23BC5AAB5EAAA6ABF777D,SHA256=FE65D76DF573816D3D9C8D2606D4A5251B4033AA9179F75477356FCF018FAD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.863{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proxy_execution_wuauclt.yml.tmpMD5=BCFFF04141D35FC420469056003B45E0,SHA256=0BEA3C59726C575E0F058C0E911B454DFE8CB5F61762DCB22EB186093FB3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.861{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_wrong_parent.yml.tmpMD5=B27B7D21B90D1C8FC218AF5FBC34B8B1,SHA256=14AE0DEED1A4FAB710FE8ABE9CCB0917FC279AD366FE75FF0591E08D3E890D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.860{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sqlcmd_veeam_dump.yml.tmpMD5=CE0ED0A600D052A922A6C9CC83302FBF,SHA256=E4D6C996109DC400220C9BC8BF0C4E140EAE3AE9821F6BBEB852B905EB0E02B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.858{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_chafer_mar18.yml.tmpMD5=695311B43D53CF395D415AD56317BF15,SHA256=C0EC720ACA77E4A074EEE5A2D68B348C8820BF105081F13EC40186C8C827DA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.856{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_grpconv.yml.tmpMD5=313B9F5021645336F3B9271110600874,SHA256=CF8F06BFB3C095CE8AF91EC92C352490D5D2E212998CD534D399973A61DD853C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.854{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskmgr_parent.yml.tmpMD5=B67155CD9E829DA0A631B53CE8F030D4,SHA256=4E63FDD3F26BC1180AF8E9C967902ECCD131C10B081DD094707D2491C6BB9C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.852{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_script_run.yml.tmpMD5=31A6B0D0A23E016FD22CC8A9D4811399,SHA256=2017AC255DFDE1B3A904F313E4DD61D78E30BAE9E16E03D0FE81D0D7FCA883F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.851{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_taskkill_sep.yml.tmpMD5=9B6BBF6F6CA46B0B0EEBD2E2C7819DAE,SHA256=10B0779C51BE39C1482BB7BABB3A98B20C31029B3105A0BACAF873BFCF5A3D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.847{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_megasync.yml.tmpMD5=D91EFA20473B3EAF0CACCB8771544F48,SHA256=6A78BB9E541F103F1FF2DE3BBEE681371F7A550562FEC4963FD19C267EB5AB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.845{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsacls_abuse_permissions.yml.tmpMD5=8CEEF4B4D4EDAC6EC93C4CD0039AB17E,SHA256=09ACA5A910119B9499DA41B225A4CAEFEDA75B44FFD0314BD491CC4DB9000620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.839{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_createdump.yml.tmpMD5=3DB7F4039B671EFE4C514D254CF42F07,SHA256=A2893839FC67B137950FADD7865F030DD87AE75D233E9CC7733D826F444A05A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.837{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_certreq_download.yml.tmpMD5=111EA95E3FCCBC551E008FC40246617F,SHA256=5F34357D58E55EA495424C79D7885581AF8C96980C4E91B4C8DFFCECFF75AE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.833{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exfil_data_via_cli.yml.tmpMD5=2192470E375A08B66F2BA8277915BCA3,SHA256=53B4EDCD4D5BFD6A8292B7C4BADBC88FC2F605A958459B5D6014417DFA02CF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.831{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_session_highjack.yml.tmpMD5=9E42F4F9A67F39C28E5F1C4A82333CD8,SHA256=13CEF2C7E31335E6C3408B37C5B38E8EFDDEC43201A509F0038F840A90C323CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.831{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powersploit_empire_schtasks.yml.tmpMD5=60D51ACC888548590EF30B5F714D9218,SHA256=F51BCDC5FF281E1766D4EB82824C144B052C1FD76EB61606EF638E71FE3B603B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.828{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsim_remove.yml.tmpMD5=B1D17DDA1D80214E978FCC262D792293,SHA256=16476AC8AA4C9A1A6CD56AB3DFF77381BE559FD60A6E5E345EDE4457C41CA6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.826{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ta17_293a_ps.yml.tmpMD5=B9ED6A0250A7E2F0A25124FD1177E258,SHA256=9EE6DC3927663020106B6569E5BF0397938275A06280EE2B55584320FFFD88DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.824{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dnscmd_discovery.yml.tmpMD5=166697DD4965A8CF5C9EC0213685DDD3,SHA256=DF3EA30E6F1902D2090286D133905C2C83DD28D7EC02FE2F02CC31F196B9504A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.823{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_firewall_disable.yml.tmpMD5=DF7C7AE6C94E2D64258FDED8831DF9B1,SHA256=19662E2C1AE7BB2E9EBF027B4248FA701FDECEAD9A98F1A93213492EF2DF6B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.821{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_xordump.yml.tmpMD5=175639E01364035C834C5168F7E497AC,SHA256=2579812DC0C6A31B97ECB7009333A5FE73B79530D5EA691D2F8DF92C4BC51A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.816{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netcat_execution.yml.tmpMD5=820714C91AA4DC9BDA84FAC885A82DAF,SHA256=399AF4F25F83395B1B92C4AFC1B82C2422FDBFECEB338EC854545C865A145C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.814{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_network_sniffing.yml.tmpMD5=A7F70BEDCDAD27904A445C3ECF3BC484,SHA256=2D42461EC571B3147FA6F9C815315F5500BF81544239A81DF765CF69D051B5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.811{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_system.yml.tmpMD5=D1F779A3B9308FF48D5B27569006D72B,SHA256=4B50F504EDC40F90B319938C673043AC382AF34550A4EE1CEAC1A17597193808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.809{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_export_critical_keys.yml.tmpMD5=0F2CE252D89E4F379D8A13E3CFCB2C92,SHA256=64E09549F680E62382052C7FAC3B7EEFE264903D8F740015D50717628ADB8FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.807{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_http.yml.tmpMD5=67CD710BB17F8F99E50A2ADDBAE95092,SHA256=85E5DBB3731D762372D13F3DF81E5AFD415783194A22F6C70DC4635D14F09529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.802{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_sc_to_hide_sevices.yml.tmpMD5=3E58F509B8FD227AA6B963088589BEE7,SHA256=086258FB0C7DAED2EBF93612CE756FD6C8C4C14B77785F43DDD92BC9813AAE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.800{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mmc20_lateral_movement.yml.tmpMD5=C51EDB7717DE6331AA87676E7C021534,SHA256=8D03B9105C5697129E8559C00B67EB29C11AACEE861411B3A7A81D05B8BA10E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.797{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtask_creation_temp_folder.yml.tmpMD5=B13BC50ECFB875E68201887D9CFCEBBC,SHA256=382B322A3DDB51CB248ED86B249A9DF508108FBD6CE1308CCA4FD27D46DA5E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.797{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BFB1D82EF5872EB15CF4C22FD09CFD,SHA256=8B843F34AA2763E2DA385C8D34A64B48ADA0B4E164F491D7F6F3E7CE52F493E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.794{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_1350.yml.tmpMD5=D02994F1F729C7F29C7562684A1D3D09,SHA256=66A7A81826283D6D4ABAE561666D0DF583EE119AABE044F3A2BB854077D832C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.791{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_local_system_owner_account_discovery.yml.tmpMD5=A643F229EECC1C6C36D08F56EB7B9638,SHA256=887CEA01D3AFDA96B1CD723292688C1693BA12DEFE4C9AB0885B04A8C4B6F0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.784{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7B9CC56BA8802D7957345474B8C604,SHA256=9BADC69FCB9BA2F27B3DFEE4F6B1255036B61E89A3A305DDEAA5D6A0CA6887AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.784{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti.yml.tmpMD5=208B390A284ABE0502B3F43BEA84B788,SHA256=C39E8790F9973FBAFB39A41C4C4BE79E3A4F7F8ED1D417718B5ABCFB9E7001FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.780{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_headless_browser_file_download.yml.tmpMD5=8AFA27B9384DD49E4A3938AA3E4C32DE,SHA256=4980CCE55E04B592A49745BF916D6FB8C8A86E7BB27A903E39B1C1320932E79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.776{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_codepage_switch.yml.tmpMD5=BE9DDDEB583D12E861E32769BC761F74,SHA256=0C8160787CF7C2BA53C7099E877120A0B0D83F32EA4B7896F8ADA87217626428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.774{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_base64_load.yml.tmpMD5=02B2C56D0FE58461A4A14C28BB4937AB,SHA256=5C9867E940786FF94333CAF12F8B80BA58B100850F515A6ED6825020FC90E673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.772{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_vsiisexelauncher.yml.tmpMD5=F8524FEAB2CB4066829120167FFB5F12,SHA256=D2A04F3B88E2DDF25510F7C1EEAFE02D283BF9B015A0C6750C97D5C90DFFECDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.769{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_public_folder.yml.tmpMD5=8447EE56CC8D8F7897D857A4EB78DCE8,SHA256=7E3FB17B2B932038614ADF812809D837B57B36462E71067B821EE4B73554D50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.766{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_execution.yml.tmpMD5=A84CF12E8467D65A9D7EA08796A8D6F9,SHA256=8331312CE4262B74650EABBEB1237DCA4FE5C1821C99A021A14463C019BC5E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.761{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_11882.yml.tmpMD5=5048EC79B8517614BC1A7B5B733CF837,SHA256=5642589C739F2DDD957C876A310534982B36FF5F855CA48A17A5C0678E697242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.759{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_dxcap.yml.tmpMD5=161D1BF3A2B35C2C67199DB708BF74BC,SHA256=449768D258D4B3EEC503673EE9A4A75337E75E3F1B4B7D6905903904E00D0441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.757{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_psexec.yml.tmpMD5=F92BC98225732C6590130A6AADE5E662,SHA256=72274CF9A61FCE54B8AD7F1A99F543EC9B3D7E08DA8E72508E17635C022939D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.755{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_cloudhopper.yml.tmpMD5=283F02433E07C16C2C240B0DAA222731,SHA256=E0548989EDB05578B8225DAED6AA45D6B73935B257E2E215FFF12A76BC694B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.753{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_susp_parent.yml.tmpMD5=0B01ED0B3B0F07D2BAE34C4F0505DC9E,SHA256=1488167E57398D9C71CD94EA3E9542262DAEC179B35C5E00C00A9E1341E39651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.751{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ta505_dropper.yml.tmpMD5=FF84FDC3072EFC734092224FEC9F8C69,SHA256=9E73CA3335FF2135D6450A846C11EAF1D58DDBD870BC3DFB4C020291D4637FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.749{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_ext.yml.tmpMD5=29AC5F4413F9654B37B03554276C506B,SHA256=ABF8968F7862898189092FEE82172A204C26E2B5D05A07A4FF4A843C07FD25AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.747{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup_download.yml.tmpMD5=3D59CAB8A182666F15B27666B5041E1E,SHA256=12F15FB41420FBBB7B73FC4D70B774C48A4BC680DC365D8FF5694DD39542C75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.746{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_empire_uac_bypass.yml.tmpMD5=51D1EC95377C921AC14DD9C99B5D4974,SHA256=5722A35826490A3A9585F565970DF419BD06855D7EBA41B833A99A0DEA757AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.744{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_sub_processes.yml.tmpMD5=57AE1AA13E68386997381BCAD26F8613,SHA256=8A159C9E5D1FE6D8B5F206E0143FE39EFCEE18DB227E0356BA3F1EA4FEC63896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.742{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sc_query.yml.tmpMD5=6D6CA8B1DFC308612A7AC58C70B4B91B,SHA256=76C1E994EE942D71A32DA431C11685031CD81C6D2B540C1DE6559EF9B1B7F43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.740{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psloglist.yml.tmpMD5=99CC3B59F59EC6890C9DD21197FED08B,SHA256=05E24A9480F1CCCD93D653B76B0C6180CE80A97F025DF4891ACE43C58973C8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.738{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_launch_vsdevshell.yml.tmpMD5=3EF71FB8A3B4D1197748C6AC7541DD0D,SHA256=9EAD1AE0623F3EEEC6C814C3FAF64C1BEC1A0B31D0D2699A56811044C12F5422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.736{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extexport.yml.tmpMD5=AA49E9F5796DE743DFC6C42817B91786,SHA256=77674CB507B2657A069E6D17F4BDE0FF0C4FF0BB6A5B401CE0A76CEFDBCE7ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.734{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_spawn_explorer.yml.tmpMD5=422068E2CDE544CEADC5BAD8375A0821,SHA256=BACB50B186788D82685867C673570A889D889A3803D6F2C3E8E5240BCF983FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.731{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_findstr_gpp_passwords.yml.tmpMD5=97A71835AE958B75652075161B6B8DFA,SHA256=F4AC53197DCC04BA6632689DF9FD96A11AA23DD70008C34B053A0864E471BF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.729{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml.tmpMD5=C8BED624D7DADE118E15EBFBC2837A5C,SHA256=300CCC1C1B8EDC2D0D8FD645B64E6E504C5B7D1DC334C4EF1941D76DE1133FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.727{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_userinit_child.yml.tmpMD5=D7DEF081F604954952BD35DF60CB2560,SHA256=A5D7124966081E038B5B8DE067E53A38EEFD3A4B04C5A85C6F1FE300AC6738D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.726{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami_anomaly.yml.tmpMD5=98F7510B8D8B2D1BB91734D881FC38FC,SHA256=567EE331C76E8059A2BF8A6C1C76E68BBC9D82A8F23093DC6E440FE1E6F882AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.723{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_parent_combo.yml.tmpMD5=E39625A4055EE0BB746116D77765FDCF,SHA256=D3AFF351153CC4B99652FA65922F9D61E1662F852D7CF24170DBD157D96C090B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.721{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csc_folder.yml.tmpMD5=B445C4FA37170F9D545B3394FD9FC277,SHA256=B26522392BFF072D90794080DEA7893EFEDE1C4B8FA02BD08A7E7A47C7F4562C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.719{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsh_dll_persistence.yml.tmpMD5=C0D8927EB9AA9FBD73D5AE7966186940,SHA256=3EB1B5362EB4869AB4C6B16F33B038A31A798B4ADAD8DDBFA4A265AF3B137672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.714{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_enable_group_rule.yml.tmpMD5=0F322471248460A4990D4591426CF50C,SHA256=7FF2C7D58015FA4FE6C69942A0F963BDFA375CFF84FFD4C32DE7C7278A437E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.709{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_diskshadow.yml.tmpMD5=5F7B5E003CF8E4EDBEB19FACD7C25676,SHA256=81BD46177338AE41355DC9D7A2A602EC4CD2CF26F09B1597292BFBED6809BE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.706{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pressynkey_lolbin.yml.tmpMD5=EDE72154520ACC6F22CFC9D24780D0C0,SHA256=7E6C96F8D1C43327EE83F118CD846C1891ADC70373047BA6DD37814E65AED819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.705{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_group_recon.yml.tmpMD5=10475C000AF273E114E993EE613530F7,SHA256=B353668C3E6D337079D3F6946B249EA919C5CFF024067D0E5C107D4497FA9867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.703{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nslookup_pwsh_download_cradle.yml.tmpMD5=CE5D09C2F59737D5C850D8DD0B44489C,SHA256=00F4B6232125A3BA62DF453CAABB465C8391467020BAE3583602BE2C34738AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.701{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_muddywater_dnstunnel.yml.tmpMD5=51D74D879D7F8CB671416D74DE35C826,SHA256=3BDFAB71A32B87B8323834736AF3E0A5C60F65DCC3F082A47DB1F777449E6974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.699{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_persistence_script_event_consumer.yml.tmpMD5=2F68307AA5A40FC0B0C5A8992A3C232B,SHA256=F8E61BB4199CDA9DEC1ACF415884D8233FB2369282B2FF1F6F4F53D11831CCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.698{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmiprvse_spawning_process.yml.tmpMD5=AAF68C2B164437B94E5032C2B9707BCA,SHA256=1045DA15D171F837F5AE03E535DADC5DAFA7DAD619511A66A084FE22D6C976A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.694{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_obfuscated_ip_via_cli.yml.tmpMD5=50351DCDB78425E4CCD6DF7A6B7BA21D,SHA256=E9B1D21AEB44C133F30CF11C89AEEEF916779D5BCC71457DA6F09B4F4AD8AD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.692{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_advancedrun_priv_user.yml.tmpMD5=ACEF1E14302473E7BB16E1F7E9F1B4F5,SHA256=A9E27B71667080D8AC2AE7ECC8177470249AD29A876710C1B35A838AE9B8AB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.691{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadowcopy_deletion_via_powershell.yml.tmpMD5=055C49EEB695633A5F29EDF06A9BF10B,SHA256=2CC3A9964ACE5C8C5BD91FFAE9ECECFAE4E8339CC478D87FE4781483051EC286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.686{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ttdinject.yml.tmpMD5=B38CB1819352E0C846B36A675018E8B5,SHA256=A8D6090A525DA09FF662986FDF041816118473B5ECEC1429314AF43DF7F0B102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.684{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_devtoolslauncher.yml.tmpMD5=C63FF819F76821255FFC724E7BA6D3E5,SHA256=7F3D313081FD85B5FBC7B63966BF66E9937845781E5D70AC8C87C3C59AE74456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.678{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_screenconnect.yml.tmpMD5=1481FDA2B7DEE9F940CB972C3222B2C8,SHA256=366A64F2D2B5865057AF452EEF2173F9C13AC0CC8EB4EABB80C63CFD487F4D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.672{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sc_delete_av_services.yml.tmpMD5=71A7CACBA811A852A4208E891CC70A33,SHA256=7F48B247A0187D49FEFD7A6999001B02B28E76A0184F3794435C2C63526792EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.670{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remote_command.yml.tmpMD5=1FBE2E75FB50C0EF3BCD62AB4C1F09F1,SHA256=F7F019C0DC35EF3096E9D7BE450407F80D4FEB43E1DA791935E61D083F1DEB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.668{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_delete.yml.tmpMD5=7F0689296245CDBA82312BEABA956758,SHA256=DFF96DB9767A3506E28D51B19015D69BDA351C8B37A7B8DCDCD939BEBFD67C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.666{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mounted_share_deletion.yml.tmpMD5=C1BA64B44C4EB69166A6CD81FD308A58,SHA256=9F8C3D9E858256ECC574B2205397A4B0910D4B37A2EABF9833FE25FEAD2B57B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.664{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_ryuk.yml.tmpMD5=03C45CA4BC574CF01B5B27F10A7DBA57,SHA256=2E99342ADF4E6F0D0752B5D5C23FF5DEF8A478C04D7A4CCFA058626FFFC4A3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.662{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nircmd_as_system.yml.tmpMD5=AAF349843074146B76CD6F74688942DE,SHA256=648D5730DAF32F593BBFFD02D95E76D9BAFFCBF6812CA4673DDA237A73274DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.660{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_tropictrooper.yml.tmpMD5=A15984829203ADBAE72D4B05D75AF29E,SHA256=8BADC2782AEBC259E95B9556F8984B95845D2A127D0F767F6895ED69EF1C0988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.659{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_execution.yml.tmpMD5=03F4759C4260DAA642CCECF0D90538F9,SHA256=606F691CF16637BE77873FCD87F2DA5858B439A834E46D80C69BC76224EF78D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.655{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_sqlps_bin.yml.tmpMD5=D4D253FF25848F26A2B2381783F5ECA6,SHA256=47AE265FE6CE29FF7FCAC686CD93B068426CE56B4E469FBA260CDB1D9C8C10EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.654{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_bash.yml.tmpMD5=B10FD63895760A5C0494CCB103040061,SHA256=4D3530DA4DAC00889E3B55832E2AA5E3D840A16F60F377121B8A5236BB9C1CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.652{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_machineguid.yml.tmpMD5=4743A8C0DE329C4D0FC166979DF49DB5,SHA256=343C955E1E58A07CE37856E76FF83AFDDB1D19DD0FE45F40BA3B6CD4B5B12A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.651{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshta_execution.yml.tmpMD5=F99E1128D3C3094A69019A5A78025786,SHA256=DEC2BACBC8A9B6D61774D05B18E1DE99054AB76D65FCF80A30A6B95A01078F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.647{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_servu_process_pattern.yml.tmpMD5=479F7FA788FCDDCB917D1D571F775BFB,SHA256=96620DBB170D11C885AF6DDA24CB70B72E820BD05620CE2AFD42147F50675943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.645{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_curl_download.yml.tmpMD5=E328D9AADF8A00171A2B731C6321C088,SHA256=C9BA6FC0984176A4D02BFE942BD9AAE0BB20F104CF54B16B0B36635658AD8279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.644{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_change_default_file_assoc_susp.yml.tmpMD5=14A78C26E60F1BB63F27BD3C4E2CA70F,SHA256=0379194BBA5A9E24C368B5867AB778608E5DE0DE5D3D6F0D964471F53D6DDCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.642{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_service_stop.yml.tmpMD5=352860F3F5170D1D6DA0A83F1E48E372,SHA256=BBBACCCFCE277D9B6EC50B63A13AC5E8BFECACCC7ED39C006CF32900D2F5A9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.639{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_add.yml.tmpMD5=46C7B6CCCC019FD3544195A41A5D3112,SHA256=EA23D3BF1074A1CC737035F6725FB828D02133417D35277C523C59E590CBD078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.637{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_changepk_slui.yml.tmpMD5=DE5E59D1B92A5285CEE4836DF3CCA28D,SHA256=65C3C1B1BF205DA85602C0CDD99900C7B3BE5FF76672A92832B1107ACFEC6A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.634{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_flags_anomaly.yml.tmpMD5=AE7752744FDBF66F8346D4D70427E306,SHA256=3B089F7A9866BC7E3FE4B7350C5CD9176A53861777976A1BC660DC61AE866403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.631{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nltest_recon.yml.tmpMD5=802281FF7D3377F176593A8A5E6A4EB9,SHA256=31B39F7AEAC9B735DFAFA9159F014C1072A187F9A8FEB331EA690FC27296C0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.625{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcwrun_follina.yml.tmpMD5=639C04CF1EC57E8C6A2A530F5F8EE83F,SHA256=E120BE1FCA80B069015C2180C4CEC77068132D4CFEA51C36B53D46D2A440248A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.623{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_base64.yml.tmpMD5=FD43A7B11B4D7569C1EA4EC9FE5211DF,SHA256=E7A8172EB7E156381079F6D9D6B751487C0638DE882EE642D058D1BDEFC14CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.621{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_reconnaissance.yml.tmpMD5=AADF55C303AF69417F70143872AE214E,SHA256=D72DBB5C95E0601BA093F021DCAD7625C40FB413C0F427DC447BEE6890D44DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.619{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_eventlog_clear.yml.tmpMD5=01D87B7C39C0A41A81A0DA578EE953D3,SHA256=98D98CF041177C7D9B2816BDEBBF5CAC8C6CDEC0CB3D0C3AA5D26639C8E7F594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.614{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_download_office_domain.yml.tmpMD5=0D5CD5A3C06353DC517EC8F56C247865,SHA256=37F7ECB5DB64DB089AF830B7493EA0708EAB4A3E715EE0BC57B25DE0C03754BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.612{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_service.yml.tmpMD5=E9C1EA82E7D7C389D64592B28F071259,SHA256=E9D3C81C7D9C06852FBA931AD980CF0CC5018174C66BC440668C0F2A9876EB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.607{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_susp_comb_methods.yml.tmpMD5=5DB6FE42946840A2C097D17BB72F990E,SHA256=E1367D12F73A5DA411EDB92E737FBBAEDC4A57A3FC043898E59E01B890810A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.605{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_disable_feature.yml.tmpMD5=A064524951C7F827D82428F3FB91E559,SHA256=F9D681C654D32BC149BBF90AC7E201FE596BA85860B706C9EAFAE0CFD9F02283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.602{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_process_dump_rundll32_comsvcs.yml.tmpMD5=356B0CB16975F67E7F3FEF80833D6CB6,SHA256=C760F74C8E9FDE9942E270A791EE96BA3C477E2825CF6CE851AF2D1D9DF90132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.599{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_fsutil_drive_enumeration.yml.tmpMD5=07B9B758283673EB305F59EA6671A264,SHA256=69B0A1D05871EDB2F8BFC2DC69DAC4E5B2C6E34AB20C62BF8E2E60D98A70F7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.594{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_download_cradles.yml.tmpMD5=40D745A778FB870A3DE37FC02F9FDCBB,SHA256=1DD339E08CCAA09FE5B5AF2DEE6A31E30E473F46A28BCAF505C9AA289E61D97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.593{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_equationgroup_dll_u_load.yml.tmpMD5=F86A9894A7F00ED0EF6653BD95A2D271,SHA256=FC8C432D84712DC739838349E36C982EDB9F8CB41ABED483C7DA5797E0ABAF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.590{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_javascript.yml.tmpMD5=2BF23F68949EFB9733D5A43EF3B38F4F,SHA256=9FAC9A01A21D61DD7F3BB8F8ED749F5C230A4220A43FF3A9775772F3A89ADF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.583{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_port_fwd_3389.yml.tmpMD5=583F9D2E6439AC6B1D28622792AF509F,SHA256=FB8C3D41D9EA838888EB341770B6048561BC5ED332CF6D6075C996738E5A153A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.581{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexex_paexec_flags.yml.tmpMD5=D15374F821038A4FB0BC8D6488D3EE20,SHA256=7BE1F4BCB9C8CA84F4A19F4F492A6C5821BCB689D014DF2C16F8375EC8AF2A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.578{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_proc_create.yml.tmpMD5=6A0311BF9D10CF1D3E42E908EF03B071,SHA256=AE79FF01CA3ECF98758349E76D73170EB47A34E4224A96FD7310E7721CE06259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.575{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_conhost.yml.tmpMD5=A2D0B99599640ED4355A7874EEBFED1A,SHA256=7A0B00D547FE3A3E16DA9BDC408ECF4030E7C3A332C3E0B6A52C933724628EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.573{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winzip.yml.tmpMD5=F322DFC2726DF1009B3F84FF2316937C,SHA256=945531412D25A1B13033432D516F9486C6DB525B3F1D880FA72286F554A302B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.571{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_accesschk_usage_after_priv_escalation.yml.tmpMD5=F61162F8B58221221E83F4C7E498FD13,SHA256=594B8328764C37F995CC4A2AF7F3715DE83FD90109C37F91AED6B82C237A1DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.565{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_babyshark.yml.tmpMD5=ACF9529F0088A07594CA732483C1502B,SHA256=5EAEDD46E536314BC2C182B3015B25DC0E3323AB157EB88E58C21F17D4DB604D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.563{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_detecting_fake_instances_of_hxtsr.yml.tmpMD5=6143EC87E455124300F6769FC5D6AFD4,SHA256=90981FA6377A2B7F59EAD8E61CD9AA36F610734C6F6204E7BB34242D70FEFD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.561{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_powershell_script_from_ads.yml.tmpMD5=2CE97AEBEA41134164BA7511FA99387B,SHA256=04AAEA11A3D53BAE504858DC98760F3BB95691A81F3DCC28B0C1BAFD7D3957F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.559{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_finger_usage.yml.tmpMD5=5C37C46F6551484A11D1E48D25195196,SHA256=2D0170064AEBC4B58178FF6F885812925A666AE35FE819D53C90760CC1318A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.556{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_modif_of_services_for_via_commandline.yml.tmpMD5=38309643CB0DB2CF4DC44B6F393FE3C4,SHA256=0F34F448352910B76EEFD0453C1271FB6E7EC1BB225ACE47B62AF268297F42E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.554{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crackmapexec_patterns.yml.tmpMD5=565C53AA0540D2C3374112EADA0AA160,SHA256=FE0C3C19B0CF03E969999219F28A47A73F526DAF059ABD8C35268E5C801400DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.552{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lsass_dump.yml.tmpMD5=B09D53E393FD2BFF085FA64D830A5AC5,SHA256=CDAE4DCFD1B0BD10802E172FE44896AE85BDB40868AA9645EB931BC21DAC1881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.550{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_vmnat.yml.tmpMD5=8BB24489B28C134435B275490FB54F8D,SHA256=42563941FDC3A846BBB0D06DAEF89179D6C00EE98DD089ECB0AFEE39CB35BD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.549{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_software_discovery.yml.tmpMD5=7EB62ED6B436A5DC3C7DCE9D1017B868,SHA256=7D169AB29D587BDC12439F10AE8E3AF13063204ED2B21924A981AFBEE3E23B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.546{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_bluemashroom.yml.tmpMD5=5B2C84BD8106B70748A717735C9A05A0,SHA256=BFA19250ECCB2DA7F98E6177E624D3500B7C1A68BB06C65A56F064EC029E0523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.544{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml.tmpMD5=AFE04DD1D61511795EB5587BC752744C,SHA256=FAB2CCA16037C35C4CF172D5801F67722D2290C49AC82FA5471AAA96D92510F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.540{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_open_command.yml.tmpMD5=9C3A9F5301AB56BE432E38135D2B9358,SHA256=E9B895CF442C5EED508E6390B1F19D399B504A25F148F52F8A735F225A7D93AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.529{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_builtin_commands_recon.yml.tmpMD5=326E99ADECDD66C28D8827C8EE0F74B2,SHA256=27E0DBBD6FE9B70E54771EF4C83A6BAFBBD8937084F0B32E99C65FD93F83FE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.524{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_hermetic_wiper_activity.yml.tmpMD5=0CA8C2065634105C9BCFFA7FEC06C000,SHA256=915F74AAE51C9B98B809579D0837B15A96FAB34D8C7355BFFE5986B863C52B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.473{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_blue_mockingbird.yml.tmpMD5=39916C631FD2A14B711D7FF9068A8306,SHA256=1B36B17B41BD22EB796B366395240EF79BB1AADC9FA5704B5D9130A63FA474A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.471{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_credential_acquisition_registry_hive_dumping.yml.tmpMD5=95962E9934D609F96ABCCB14A2BB7E14,SHA256=D6E7EAF984171A3439A5EC54490F7D04E90CB0E647F331DE9FB46C5E73D0D18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.469{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_tttracer_mod_load.yml.tmpMD5=4B0CB3FE6C69C608E35FE00568CC7126,SHA256=F99464A00A65FCE1510BC51855EEF291FA26D1BC6C78A4936CAA98AAE45366AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.467{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cscript_gathernetworkinfo.yml.tmpMD5=5E66783FD69E9FA9E142331A5FFC325C,SHA256=6F8CBCFCF47B693F295310A4C15876E56DCB92F0400076AEC235ECCAE325FC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.466{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_conhost_option.yml.tmpMD5=E0D15122655B7A21765010B0A8CF5F9B,SHA256=FAF40C72B8C221F1D04CF6D70D84290A64F010D18035224D2FE371089CE866E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.463{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dns_exfiltration_tools_execution.yml.tmpMD5=9BAE7C57310F7F67420978F30E8F1B49,SHA256=4D49C98385DB5D5200AB591B2FE9FDA849EF6BBE7996383E58B397960E8158E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.460{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_encoded_obfusc.yml.tmpMD5=54168EEB6254406DE54962EB5E328236,SHA256=7D94185A23B81AD29D269CCB14477F40DF85B5BF69ADB2CA11D11649952C5A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.457{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_keymgr.yml.tmpMD5=79ECFB1886196E47E68CFAFC7F3AEB2C,SHA256=4608C0CFD51C156FED7DB86EE12D4896301CABB061A72A9DBC1180ECB7F2BF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.455{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cipher.yml.tmpMD5=8AB7D28AE2E1DD4B9EDE8C7E726F128B,SHA256=9F7DEE6B628BF28E04D69E26A028EB2732C703E513888F7AB31FCE5A39ECAC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.454{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_invocation.yml.tmpMD5=57A08963EEFCF4922BE95C9B17E65D38,SHA256=B06B33DF55080C25E29DFAC6F05A9C68B13ABA87C787A5D81E25DAAFE55E419D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.452{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_svchost_no_cli.yml.tmpMD5=734124FF71445B73407439B69052A684,SHA256=0B1189DC17F364CAB4A2B4B7EA1BD4437B1AA5F02AC58C9185E79475B64D3E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.449{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_lockergoga_ransomware.yml.tmpMD5=7153DAB52030FF059A89CF60B87B2113,SHA256=2E76923377D81925C46E15685AE3893D58BBEF8DCF0AE7F21E5E69646590507F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.447{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_cmd_patterns.yml.tmpMD5=10C20AFEDBCFABCAF578209DB012031D,SHA256=7E89BD81E20B14AEED68BA2456602B9D61C6C754997395CD138330E3D6073D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.445{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_quarks_pwdump.yml.tmpMD5=0A74043EE0AE67420CB2050D648BB63A,SHA256=3D15F2EC504708AFEDB2617992A95D9E0ECB0869B9473035B496826FCFBA3D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.443{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=AD31EB60BB32B9677F9AA10B70026176,SHA256=B4AE6226D05B393A77C54CED6EE87F4B325B933C4FC21699432C1B6ECF777BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.441{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_appdata_local_system.yml.tmpMD5=78E604FB0C0AEE270E910A5A913C1487,SHA256=DA22B1DB50FB0B97EF9456250E474919476D6F8A8DD572F02E25B6C0A74A5504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.439{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup.yml.tmpMD5=AC19ABA4877480694F64AC3A6B6B22D6,SHA256=63186FDDFED200965F501446BB43C3AAC4B04B8CA4B0424F2653017CB4E32E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.437{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_print.yml.tmpMD5=E570F27B2B7F5FE815A4D9572DD285A7,SHA256=C02910B0E12199A599686F71E69F8D1C6FAE1BF233A2A5FC51D33264BE1140D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.434{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_hydra.yml.tmpMD5=C9EAFF0E2E256258076D64FE85A81B1E,SHA256=DC63221042C4E4ED556439FD3256B4F074403A0D37F5B8876182E663FFA9AF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.432{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shellexec_rundll_usage.yml.tmpMD5=F428B9822CFAA80A0C5A05FA0193E6F1,SHA256=B6788C1B890701DBF0524759C4189CC6E19D010EB9B859DA79CCD6D6686AF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.430{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_download.yml.tmpMD5=02796678651E7281C31F98F2158CD216,SHA256=235425BDDA4C601E65152FB4965D640691C30F0BB8FA3E9AB65A1251419723C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.428{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_fsharp_interpreters.yml.tmpMD5=6497415AB6DF101BA7FD238B54B3011D,SHA256=3499A27080E9B1F2B6F36CC201BAF885177880D4E49EDAA46E274F9BBD0D0146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.426{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rdp_hijack_shadowing.yml.tmpMD5=15A34395B62CC461CBA53A7F4BE363C4,SHA256=3EF955A6802BC9D28D175066B7037C9EC80389BBD437A35F4BC411654F613460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.424{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_service_account_password_dumped.yml.tmpMD5=A8F5C08B579E33D5F798D26499C22A20,SHA256=B29A9B4EBCD3E8AAB4C6D0C3DB85D8EB7979C114104C4A12F445558746B5EC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.421{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redirect_local_admin_share.yml.tmpMD5=45FC06A431193713819C9E18C338CFE6,SHA256=B09B575B46BE56978A170DCA97E3A2D75BEF9E18962CA7D501CF0CB2F242E105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.419{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_apt29_thinktanks.yml.tmpMD5=0BB046E724C80F54EB2503A97DE72BB3,SHA256=E354116839726CA7CEBD57093EE6C908E2813E2FF2AA92D1BD90EAC016F09FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.417{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_msdt_answer_file.yml.tmpMD5=C7DD6B3DC741E2A108811283BE36E983,SHA256=9D091D2A13B8F2BABEAC64D769FEA4FB338B893E057A0300C78F4674480D1722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.415{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_user_add_never_expire.yml.tmpMD5=32120B49433E5F30A2295464723FD1F3,SHA256=F1216A235F089B56517AE23263B6E30DFB2E501323F3AD20E152C94CD7E77737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.413{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wsreset.yml.tmpMD5=056C7D0E6893A4E118B6071F1AC54CA8,SHA256=575FDD1C11E9F5FE7D0B079D8A07E75CE39FAF07D4B33FAB56296D3FCE99A8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.412{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_non_interactive_powershell.yml.tmpMD5=2D38217DCF9B4494738A15EC04687778,SHA256=83AF1748A8263587ADAC1EE972FC190C0A593BCE2C7DE7FF56E1D1B34C8A6A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.410{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msoffice.yml.tmpMD5=3F855C5A4D3D032F905B761122E88E89,SHA256=8F7CEEB8F3C4D216D22A04B1851A3CAEDA98F4A1363CDBB99E15FDE9A73E0C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.408{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_plugx_susp_exe_locations.yml.tmpMD5=D43D0FC8F8A3B6D8D48513976D9C4BF8,SHA256=9543D7CD7C3A39AA3A2AF09E5BACDCF4D8252B49E6A375336C8C416ED4DE2508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.405{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_abusing_debug_privilege.yml.tmpMD5=8B28EAFD94CC9C9D1148B9541F4D617C,SHA256=AFC1A6B6311CF8767024E5BDC79647FD675177614526ED5872135D19CB97CD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.404{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsh_command.yml.tmpMD5=DFFAA49803AF63CF5E5ADF2EA2CE7556,SHA256=11BD0AF2B521FD4C8D84D036F48BF11FE2DD9FCEBAE31C4229E308FFA5BBD8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.402{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wsreset_integrity_level.yml.tmpMD5=DEFB6AA795BD2A3186210F3509EECCB0,SHA256=F7B729DD4DE90E7ABD61372925128D72EC4047B61E6583C0A1F57BEAE7F68675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.400{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntds.yml.tmpMD5=47C367871CD4487204088411B0316699,SHA256=513D7666F284DF2368DA8135858B61C153050E89F445C6D80280BAC66D35377C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.397{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_import_cert_susp_locations.yml.tmpMD5=BB24F3266789E72A9E1B7BA5A40C850B,SHA256=3E30C5BEAE1B9CE5AD07FD8FA700F6173B3267E1406239ADA2E7ED2CF312DBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.395{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_trickbot_wermgr.yml.tmpMD5=98BD83B54AD6ECD5BD68B6820692C3B9,SHA256=2167084EB9CCF8E9BCB51BEDAF551156549A1C30F60A07C4AE00AA0DB61F7969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.393{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_dir_traversal_cli.yml.tmpMD5=0948F37EFD6D9169543F65A22EC34A0F,SHA256=C644754063B9D8E778F597A9125B32DAF0A03436771D1D6EAC03B5C9F33D29FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.392{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_rundll.yml.tmpMD5=D4AB6E1C55BDD259D18231F8CF86D599,SHA256=63D5D1C2EC60AB91AE717153DAB3BA06AE5F9592F401BF8E0E6070245B5E48F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.391{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_high_integrity_sdclt.yml.tmpMD5=4474C9653149B65B90BE41EB98A4E102,SHA256=161B10C27536BE9E2611DB27FC57C219A0E8DC464E43D8D9738351B968EABBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.388{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_lsass_clone.yml.tmpMD5=793C5CD33B893BA891BFF8DE0768BA27,SHA256=2628CD7D456492EFB299144FC6EAC80DE952B434839E68207933CB5B6A951A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.386{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntdsutil_usage.yml.tmpMD5=5FFB9B97B87C562D8DCAAA626516B4A2,SHA256=F8F2D94E290EFE9C04059CB81BB9C4E42238883A46BDB504D64EF0085D9B8B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.384{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_razorinstaller_explorer.yml.tmpMD5=9E54C19DF877865A5821B5B5E43B49A4,SHA256=C9947263871021834EC01C348AD0E601F2C9EBD6251C8F71927E2B19B6882C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.380{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskmgr_localsystem.yml.tmpMD5=7D68877ED893CF8D89E3EE7845057638,SHA256=B3FA6495C3A97D4C6722A1543EB3829308E1344ED24935FFE0CC64C37E97183E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.380{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F8E2E56C2CB877EA592DBEA2776A8A,SHA256=1390F9D8CF91A4C070FBCB2ED475F893C6E2A5B9689F2DBAB1FFC08D55202755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.373{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cli_escape.yml.tmpMD5=76DD184428CF40D03C95658C7139FFC5,SHA256=975116F504C9D9BA3CEBE2B8EF0BD20B278695A01F9E22101043C177B7C75745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.260{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_b64_shellcode.yml.tmpMD5=855AB6A7DDB3A776C9359B0DBB00512B,SHA256=49F6C18FFC1D985BD5B6076759C973A062DF534A4516723D479210831E17158B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.257{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_bitsjob.yml.tmpMD5=123BE07B7264EA21C80977F7DCED8126,SHA256=79026B747CBCD977C19846F2EC1B5FEA93801416FEA15C2CAC8FC131C2CB5611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.254{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_virtualbox.yml.tmpMD5=B31E9D65ECFD76CA65896624E4BC983A,SHA256=795600E7661476B0DFB327B3A909D4A57D24B14B7F58F655C402F1E9AADC8E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.247{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dctask64_proc_inject.yml.tmpMD5=56C5F67BE4A2BB21FAF4FD983011E3B1,SHA256=752A16A95107AF4282F9FACE1336A896D881D9A8C43F1F6AA9842C5A60DAAE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.245{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_add_susp_image.yml.tmpMD5=EC6E38A060304A69C6B0CA0A3A6FDBA5,SHA256=513CC560DD75E26E17D8D77825EA6E4B1674BFE7F4C4758C03FA4209FAB93234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.243{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mofcomp_execution.yml.tmpMD5=66D62A736DFF2BDF26C89CAECB5E7580,SHA256=1414F1358F67015D60AA319B239082ED4B962FD6C9A367BE9357E9F55CB8F6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.240{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_possible_applocker_bypass.yml.tmpMD5=BD57D9EFA43E455EA8281A9EA1C4DEDF,SHA256=080009BC05BB4CCD7BA045673DAEBCB81C78F36CD3E72EABC405EF965016B5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.238{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_dll_sideload_xwizard.yml.tmpMD5=69373C9918BFB4A4840CCCD68DD53753,SHA256=B8DDF40D6390E90A69776DCB7E40D6C091306DC8BD848EA3663B70CB0E50FE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.235{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_redirection_susp_folder.yml.tmpMD5=13EC6228AF64C8246576301C6B077A0E,SHA256=7649E00785CF6643D9A7FAF1568C67CF960615697AE4780386A9EDBB05B7BBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.233{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sharpup.yml.tmpMD5=E32A2BABBEB55EB804D173FC6BC53A8B,SHA256=AF6CA49A2C2B83328B4C25FC8F477D1FD6E26F032B2DB1314799E38F9641A074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.230{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_krbrelayup.yml.tmpMD5=53C6F6CDEC0EABE385A2A9A456A934AA,SHA256=A22859FEFB6C2C92EF9193495C96AF7CB25F3024AF943207CC25DEB64ED8A559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.227{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_maze_ransomware.yml.tmpMD5=268E12E058F0B16580C26E1F55AEAD01,SHA256=F18C1E5AD8758325A54BFF7D382E37FE55E3F1FB028A9FA835F61A9C6D8428E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.221{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_manage_bde_lolbas.yml.tmpMD5=A439B8A1DD9FA1BC9AB3B26AA808411D,SHA256=F2381E1BF2C879A191725DD09F3FCED02A5F42998B3EC38EDE874984D5751792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.219{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_format.yml.tmpMD5=34458BEA5BA47D5A42DCF374DDBB369C,SHA256=3DD599AC4550B2C1932C29829A713524D23C0FE87F784A649B316DF5E97D4135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.216{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_shadowcopy_access.yml.tmpMD5=BD3BD24D80E26143896987D5F898AD66,SHA256=B551156529F17D6B5DB941AB42D6E66227BAE6E6A5DF54F7AB8BF5B30A0FDABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.211{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_sigverif.yml.tmpMD5=48F9507F580906C1B035B4D1B5AF2A3F,SHA256=E38A78612F1885CFB55A42B18D66A10D7E385F0E47F5F8A70B6DB87BBDA1856A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.208{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_schedule_type_system.yml.tmpMD5=E971341CFCE9BB0165B64B6FCB130A92,SHA256=639E0FC991965260F213E412B93494C87575E5E18F0424B931308A66570B5170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.203{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hacktool_imphashes.yml.tmpMD5=962B1D688C257F3E087318CA9F344313,SHA256=B0EE5142A556829E29FE1FE9EE196F710A8F980ADD06AA895C988E342457DEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.199{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml.tmpMD5=59EFC7831ABDFF62B55715443A25826E,SHA256=53AC3238C47C7EB500245E3D6D67DEFF0D0AB4C8261AFBBC83BE8101A62E4703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.197{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gpresult.yml.tmpMD5=28005D9CD82BB34CEFC560E11397BB1D,SHA256=6E03313DB319153420F100870FF4EEE47133DFD4D0FCF4CFCA524255F8528519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.193{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dinjector.yml.tmpMD5=970EE0436AFBC844CB74FE7ED90F5F07,SHA256=CB47F7F5704883B722424BD690139E31C2EBE88AA08C08C7B45BCCA0EC31FF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.186{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_copying_sensitive_files_with_credential_data.yml.tmpMD5=C3FC7A2E17599B578C961CAD6C1FE51A,SHA256=E4F6C17AB1EB93B2A09C7781E8DE812857159851576C2B9AD37B421C95FB4A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.183{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_commandline_chars.yml.tmpMD5=D4999D07CA11F48622B0C99C7B20D3E4,SHA256=35A69EFD670EBE4C7D3EAB499A1076FB61515E731003B2A348381330E8FE729D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.178{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_reflective_assembly_load.yml.tmpMD5=C4BDF7D5C37FCB2BDB37AF71AE635A4F,SHA256=1DCE92F7FCECEF5B77B06F6CEE6865763CB1B28D5186846DBCD6A8544463C17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.177{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wuauclt_cmdline.yml.tmpMD5=21CC42EE6A84B28808ABCF5E38CD6AC6,SHA256=7662246CCE397B600E92418B56C77A65E3AE3C69A9BC468346A08EBCE42FA5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.174{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_dll.yml.tmpMD5=4751281C9CA1C881C92E91421938A43F,SHA256=F0CC22AB10C566B71FBFAAB7CEEEC43F15F4F8FD1F60D3C3186BE46A743F88E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.171{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rar_flags.yml.tmpMD5=3BCD438910689FFEF58C4009EEF4F1CF,SHA256=57B1A5046C9275BFC50FB26CA860D16E63779F6B4B8C210580413A48A409F5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.169{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_non_priv_reg_or_ps.yml.tmpMD5=28087C6532D2A88A805B751CA9FDB811,SHA256=15007512CFDC26FBE20143B2AB6F17EEBC057D861E7354E8D2398260C72DF514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.165{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_use_password_plaintext.yml.tmpMD5=756A6D657947D3C0236BCBA772FC5C35,SHA256=21646E8F7F9A941D1810C81ACF2FFE35D1342614BA8CB606A8138760230D6BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.162{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_selectmyparent.yml.tmpMD5=B101A0ED2AC2CAFBB878062AD2E41667,SHA256=4D12A96EC142F9A10458484B957B07FC1299B93F00A4F6428EA39C3C3D1AD0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.157{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_long_powershell_commandline.yml.tmpMD5=8A287D58328B39800847B57C9048FBDA,SHA256=D5F0BBC4B477C97E85A83AD300A20A523DA8F8C02205354A5AB349488E741DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.155{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_susp_cab_options.yml.tmpMD5=5259B52672672B8217AA581EDA4507AF,SHA256=A00AA3A7FE37314AD641251D2A2EDC3D987150DA4B2474795C7EE6CC1CDD69ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.153{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wab_execution_from_non_default_location.yml.tmpMD5=879143AF16785B26A93B3F9DDBEDF677,SHA256=FBE72819F85C2CFFCEB69487DC2ECC2C0DAD6C6B7DDCCA0C87C60DFBD0B3E39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.149{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmstp_execution_by_creation.yml.tmpMD5=B90B36676722D40EAC68774779522C7D,SHA256=494AFF40B9CFB4F19369D0975A29BA7BE0BEA0821951FFC62B6AFFEA0278A05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.149{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1112AB7F2303408C02B9486183B890,SHA256=A427113F1ADFF1267AF27D4768BC570EBA90806617E44A4A93F58C48DC507317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.145{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tor_browser.yml.tmpMD5=043C746C95F429409F90907335E07DF8,SHA256=030F5E9EA52F0CEE05FCEDA464F0DDEAD2CCD4DB870562E137DF42ACF70CC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.143{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_fsutil_symlinkevaluation.yml.tmpMD5=7DCAAF7B2C29B2A721472C0C10D30280,SHA256=D47F08139F399C8B5C2029E9C2B2E393D0381F2E54B0EC52875790957FE93D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.141{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rundll32.yml.tmpMD5=B6FD53AF42213340979B6B731AF7918E,SHA256=437A65EA6C9AE58F934F25A5E78BA09E86B1261CED6B9B5F8DA6060D192973ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.139{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webbrowserpassview.yml.tmpMD5=B21D0388C388306A9BF1CB516F16761C,SHA256=7752401948B68923A0A6B8E45301C682C611A7D7FE5D18D87C492F1E298F68F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.137{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_enumeration_for_credentials_in_registry.yml.tmpMD5=82FDD984355AC0B98501D86727BFD789,SHA256=455FDC086DCE622EB4C50F95AE01C2F03194A6D3335AC157EE58F5643919CFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.134{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_ip.yml.tmpMD5=B78590E265BD9ED0D0BD96AC4C5C33F6,SHA256=5625517029C06ADAAC19F14D8F5C586A0731A2D144C99BC40E0D7E85A1A54D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.132{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_change.yml.tmpMD5=E406CC1619963EDD0AEA334AF7C6C105,SHA256=77031555CCA2FF4F4367B857AABA3D9FD1B9CE475794F019F1C92EDA512C8E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.131{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_zxshell.yml.tmpMD5=E0B394060A68051994BF8496165774F6,SHA256=886E03F4AEF550C20E5867A11872B3AF99B67B3268F1A565218B1D14381290EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.127{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_icmluautil.yml.tmpMD5=CD4148936383A3E5A9AA267E7A2355B0,SHA256=C723549371C240D14B6BCE06BAF8FAB1583207D28112958F40F753FD19C08B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.125{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_ntfs_reparse_point.yml.tmpMD5=87E44F531DE0561E233E8A9C8122EACE,SHA256=26F18D5D017A37093DD18BDEF7033A47C098F5D17FA693042294912348D63E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.123{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_dumpminitool.yml.tmpMD5=0751A8D0A37C03506E65D36E8230D933,SHA256=3241A580C16B636A7F0E2C7AC61636E7D31926799D75717EBC8EA57D9C5C7A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.121{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_parent_explorer.yml.tmpMD5=5445120AF21297A81BEEFF6470F24C9C,SHA256=96BB0E554417E9383DEABD50EA45D6E107BAF788008D87916DE2DA161E147ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.119{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tools_relay_attacks.yml.tmpMD5=430D05136C4FAC19F53A1E1F7B38201B,SHA256=B227FA42591953A609C86BFDFA115EEC9DFE45B05A403014D486398BE82204D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.116{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_executable_invalid_extension.yml.tmpMD5=C8760D20DB41A19B8D6D657A7525182E,SHA256=4B831209BFEE6DEC4FC0A0644F734A68E7B2722941DC4A2B1C90B79E93263E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.114{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_plink_usage.yml.tmpMD5=D57AB0264BBC9BDA95664A9381E9B0E9,SHA256=0849D79886DDFEEB29C7693D0693DC334BB3CACD3E2D534EE9AEDFFF7FCD0C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.112{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsupport.yml.tmpMD5=058543B322E305172346266753475EEB,SHA256=21A29350A549DB86BA291BC3DBE4AEC58615D51B283296F7FB1791CC22274AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.110{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_hidden_b64_cmd.yml.tmpMD5=4A4EDD94683B41E4D25A18575877D1E1,SHA256=BD3A89FE7FF4D527B440D01012C3B2A5A7A152AD5591EAAED0BA65B75CECB730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.108{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_reverse_shell_connection.yml.tmpMD5=0E3CD91CF45615764080D31BC2E87A82,SHA256=AE6DF590A18FC7360662C850AC1F0DAF70C513366353688F246C69DEF6A77BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.106{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_parent.yml.tmpMD5=2FD4FCF88E0EFBF6F5041DE5A249CA56,SHA256=8115CC8BD499D4CC0B69203615D40F31D451D850A01B01E6023FB46DCA560364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.103{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrm_awl_bypass.yml.tmpMD5=8F0FC6D3D22D8C320190BFA6E012E53F,SHA256=960D46802CD07FCBD62E1B896E8DF8D1E0F8ADBEFFC6E371F58F80A70D623276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.100{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_scriptrunner.yml.tmpMD5=FCCA66318B5C63D9A7624C93C475EF7A,SHA256=B9836299A6DCCD87A8203612B7367713BD0C67C21E0C2417D7C0E9B8A2582711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.097{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_exec_from_temp.yml.tmpMD5=849A1DE2CAD4596E18602666A974CAD4,SHA256=868321B7EF7912A8BB33D442E330336B9602D7770C6A1173F176E6C0766E626E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.095{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_idiagnostic_profile.yml.tmpMD5=0C8226F8C81DC01AA61B70539ED9B17E,SHA256=AA2C7A3202C5C1F6F6800716C337DDEEF92D03B3F17A881C3DE6C4D8FD490434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.091{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extrac32.yml.tmpMD5=E35366E57B85BE6F1AC95E54297FB737,SHA256=5D78566327C5C39ADCED0E811969F9DEC6C7E9ECE2E1C0A6C27DDE83FF08B495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.088{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_bitlocker.yml.tmpMD5=51061689402BE3FC25765F149BC508E8,SHA256=12E6706138BB30A30F8374EF109AC2AEE71D69625D54FCF50CBF5E5025BC9DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.087{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csexec.yml.tmpMD5=530536121A804BBE6DA6AD95777EC68B,SHA256=9FCA065535889CE119BE94B6F0563C06E5E7E8A138D1FCCD69AC62093183DDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.086{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml.tmpMD5=810F62EA5311F08447D517866AF9621B,SHA256=586272D9CBECA75ADA0D1F687D177CEF142DC9D20C0A1994DFDAAC0F7DDBC8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.084{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_download_iex.yml.tmpMD5=9A6834EB57101775E7CD1DC95E922AC2,SHA256=E0E4AB4ED29CF1FA740BEE480161C6FC7C40F412E0D56A08CCDDDA7AEB6341B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.078{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt.yml.tmpMD5=05DD47180FA97E9039AB4FC9D7F4BD1F,SHA256=502C2CBA45666958C47718BE30711B0E4AA674D9B9D046D835F6D6EF0EF793F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.076{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_import_keys.yml.tmpMD5=ECBA7D26D37EEF1F8BA9554A2EF8C802,SHA256=67136659D76EA86BD9FCAF8D6B5D5B60126467A61664A5D5D937B25EED79B82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.074{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_c3_load_by_rundll32.yml.tmpMD5=905886665B0A5D21AECEEF60EFAC3BD5,SHA256=408D6D66FA139D9B8214410ACFA899E06BEC32FD262BF3EE143D0389DECAFE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.072{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_gpscript.yml.tmpMD5=F4336666B87C71E8791B11AFE4709E1C,SHA256=096D4541FDF1D2B059A1EF86578E8C827406F24626DA9D84B2A8E479C1B2AEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.070{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_invoke_webrequest_download.yml.tmpMD5=FEA555DBBCFB011B7F54D366D83BBB0B,SHA256=377D3DCAA5C4DA6E9980483F5BC62588000F6F8480F22AE52A873B7CEF67015E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.068{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_dragonfly.yml.tmpMD5=9DE26C69524C6A43F854B4317682739E,SHA256=AC33676FBBEFD0695F78C59AD8866E0F34E07A6D2EC60ECF685B307E72726AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.063{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsacls_password_spray.yml.tmpMD5=601D1A3EF87D3484B2161DF273C4EE3D,SHA256=C8C99A3AEC530242B7E7FB114DEFFC4DF8723AE77403DBE80D2BD2777F401771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.060{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_domain.yml.tmpMD5=F30163CD8676FB34250A158FD4F201D6,SHA256=2A64F9511DB428AF59C1F475553FD451AD7368A52AA09DD8066FE63387CF52C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.058{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--process_access_win_shellcode_inject_msf_empire.yml.tmpMD5=89E52D0D07CBD5CA501586D398772AC4,SHA256=7C0F5BCCB5ED25ADA6E12C43B2D6E6524E9BA4A226BC7C769EF302D7273D27B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.054{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_handlekatz_lsass_access.yml.tmpMD5=7E69955D2B2C7044D91658EE6A7F5ED8,SHA256=01CAB20B7AA444F4B1EEF42A5EC6DD0C0D3D43BAC736277428C661356061B4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.051{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump_evasion.yml.tmpMD5=08F13242BCB9955D3B35FD592E42E4AF,SHA256=6B2B1579AE505DC745F23806DD87874B2E0C14064D6123D11206020682332C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.048{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_werfault.yml.tmpMD5=E0B6C77BC49D65E112B388BC5A8CC8F5,SHA256=8F8D3DFA0601666FC720AD1370E52E42AEA56A0486A71B3D76F264EF181C4827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.046{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_rare_proc_access_lsass.yml.tmpMD5=BCCD993C1A6412A9017C1F2E95769E07,SHA256=E91BFF0703AAD058E0475008D0E5C3D886CADB1FD4CF7E6C390870F657A1B560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.045{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_susp_proc_access_lsass_susp_source.yml.tmpMD5=65E64C2E0A269C7C2F54B7E3CA216EA5,SHA256=878B0C103F6693B0A3C8B21EFC8F6786C8523F76277B521E8527BC4381C70F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.042{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_direct_syscall_ntopenprocess.yml.tmpMD5=CE9C8CBDD09586B10854EC06CE298A21,SHA256=84CD650B853ADCE9736B25F86F0AE97CE35BB235F61A99098DC9D384D9EA5672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.039{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_pypykatz_cred_dump_lsass_access.yml.tmpMD5=F8CFE479C375519912BE63964DC0AD64,SHA256=311AADB4E6801264923AF16851D88865E2806E6B89B67A407216CD770121B8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.036{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump.yml.tmpMD5=7760CB12D87387AAC4BDF2EDA13C3184,SHA256=060D988C7432DB96F0D2E0AC37ED8E7727F04A9FD14DCAA9D534D549764CB500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.034{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_hack_sysmonente.yml.tmpMD5=CE846B190E0C6D355871C32A96BD7B96,SHA256=F11DA6042C3732540770376D68774882C5FAD0B203C9311ABB6CD9725B3ACA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.028{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cmstp_execution_by_access.yml.tmpMD5=81011F3C65D9E4D07AD920CD8EFFBF06,SHA256=24BA78D27430F4C50705C82FE2048B35489268AC76EC3B8E9A8DBD852E8148F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.026{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_load_undocumented_autoelevated_com_interface.yml.tmpMD5=66BB578C685B47EAF76F5840B611117D,SHA256=E6F3DBDDAD92D803A5354D6A5E380A13F04026313A0845D17A050C4DEC74F051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.023{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump_indicators.yml.tmpMD5=55F9674EFC484CDA3305077D7FD35217,SHA256=63F10A21C8422619D6199FD7962B2FCA826D66781FADBEBC582FC9C743A31BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.020{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_in_memory_assembly_execution.yml.tmpMD5=262FB44D7B3509A02273ED2F4579AC3C,SHA256=4BD4FCBF0FEEADFDDCEA74E77888E5BBCC6AF7B1643F3DCF28E62CD666FC81C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.017{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_littlecorporal_generated_maldoc.yml.tmpMD5=09FDB7A2A8E63FB6C098B2F7EC51F47C,SHA256=EB20AE486D6CB33577E084E20796D92DB8388A1E4B209164952AB475F2EAAC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.014{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cobaltstrike_bof_injection_pattern.yml.tmpMD5=BD3A5EABE334C78C960F28CFFA5086DE,SHA256=7224E4DA404456000AA3E139F31B3F9A1E368B29496A6F9BEC7E043CFFFF5F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.012{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cred_dump_lsass_access.yml.tmpMD5=05BE9C7C3D2071723EABFBD5503035FE,SHA256=B1DD149E5BE7329824524868477608A68A1E94F1994B041AE325C1745F5243C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.009{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lazagne_cred_dump_lsass_access.yml.tmpMD5=0590DC32560DD58D20E5C898E74867A2,SHA256=EFBD2C443AA3A243C2D902FC23839E440ED6DBDF057E8201B48BD5298F30A7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.007{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_invoke_phantom.yml.tmpMD5=DF50D184336FF7A36D22C56F61B7B13E,SHA256=D905F088D1F66B7D418EB47F632F1CFD6A420809223CB9DB46D22E9D3A1ED309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.005{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_mimikatz_trough_winrm.yml.tmpMD5=9C6600CE47931B9B841E972E7915475C,SHA256=D77077AF391C5513D910D3CB8AEC145E71ED71552F3A365147AB37F2E6DB0307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.002{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_susp_proc_access_lsass.yml.tmpMD5=E57963F6D8630FC7D7DEE194FF08EF9C,SHA256=83667162E1987CF42ACBC0A8BB54F421CE802670C9FD4021C99DF6AE7304403C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000748945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.999{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_dump_comsvcs_dll.yml.tmpMD5=F770EE5A2DB57F39AF0B4C9F0EDE2802,SHA256=540B089537DA3A959AD1B695BA8EC79A732216389C85302B611FC00BF99DBC2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000517958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:51.092{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000517957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:53.118{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2DDE830DA25D7C6F930DACB458FA1FA6,SHA256=6CE345248EF2C5A85A81F9CA5AAF8DFEDD63ABF7AA88FA5182BB962FA742A33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.890{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_stdin.yml.tmpMD5=7B85123CC69EAB2BC22B50A3071953AE,SHA256=AAA6F6877E237F76BB672877B6A989FDA46B4CD2946C9D596EDE6D06F00C2034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.889{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hh_chm.yml.tmpMD5=E88BD5731F92D865240E87DC934042F8,SHA256=FD4B88AABA04502968DA01C88F3B0279D69FB99E1AB41BA0448BC010538F33B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.888{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_certoc_download.yml.tmpMD5=A0B8BF3DAE8520B9F4AF143980DAE0B9,SHA256=100D3E4AD907C9E63B6DCE6A3EEA4654FA96468B25B7E406046CAAD16E3D4BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.885{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_susp_parameter_variation.yml.tmpMD5=E0A7A564A2EDC6DD1DFCA8F222D5ABF6,SHA256=4946C01D9E859186764AEADB4EE575DE5BB4C6E04934370A8036A114F09284EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.884{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_audio_capture.yml.tmpMD5=64F4A042ED31152BED122D1D92E5E9D2,SHA256=388CBAF2524C77C652C587467635007B97CF4E1016C8911CAA142EDA8C2DDD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.882{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_activity_dec20.yml.tmpMD5=50B2E7A3FD9FD89ED70A350E3B6DEF4A,SHA256=DC0C065CBCFE7E6E0A8542D235B1148AE8B3C0EC2A315D3E02E116700A620D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.880{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rasdial_activity.yml.tmpMD5=8094152422AB5E38DCA8A06F4BB76BD5,SHA256=F1113F575EA2BDDB6983CE01B4BC7B5B82EDE5951764EC43740A629D7A0E6CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.878{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_image.yml.tmpMD5=22043B1A1505277A59073CB4E65F97DC,SHA256=E0A3A548B6F4C04A5D4D234BC8E8241690DDE04D938045659A59E431AC368818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.873{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_debugview.yml.tmpMD5=00B391F0398B2E9C0E0B4B783E73C234,SHA256=9A11A477ED96227A0ABADCF0FA24F64C2B04170745FA4E851C3478A8C2ADCA30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.871{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_msdt.yml.tmpMD5=9C1E33FEC4D96D507C0D21A9834E96E7,SHA256=66BE9F2873FBA49C8B608E0A0F030D3FA7EE88AD8C8F7C53DD5124B563D67E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.869{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_krbrelay.yml.tmpMD5=B4DBB8DB445A54F3BCB866819CE346A5,SHA256=397BAD0601A7F50595C6739F8DFBFC0A2FA6A87873B9BB121004ECD7E9A7A790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.868{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_jsc.yml.tmpMD5=9D3C1EB68AB92452B6A09EE1AC6547FE,SHA256=99FD71FBA40232517D373D0C9042650DC0A1E7EEB82D50A89A3267915ED8271E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.866{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tasklist_command.yml.tmpMD5=18A90FBD524D40E54E8C7B0EA3581A50,SHA256=EB4610878ADDFD0DD74DECD440FFB14CDCB917E6FEAF0C66238AF25939EF95D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.864{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti_shadowcopy.yml.tmpMD5=048AC1164A4DBC44CB8541D4C8DDD9F8,SHA256=3E1C8E6E5D08352497DD1FCA8ADF8485330D52CAA0FCBF03D426818822E304F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.857{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_root_certificate_installed.yml.tmpMD5=E98024B2CFC69869437DC9AECA40FA5C,SHA256=2AA418F1BE14F40C1555523932328D4BD5F1E8F7FF78FADCBA14571D15333FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.854{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc.yml.tmpMD5=9FE7166ED0A6754BA174D9A8E38FA5C6,SHA256=5309E3B32F05BE89103D7ADE7BD07A60E1BBEF8A875020D291757576A6182DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.852{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conti_sqlcmd.yml.tmpMD5=53EF487D4323616B72E4B1ABE3BE1274,SHA256=F8AC3116C774E56413793726DD9EA039DBE52D4D9AB3E4DBCE03E64DD3025B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.851{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ldifde_file_load.yml.tmpMD5=59F92A78E57982F30D49C2796B0412FF,SHA256=90CB329B2259042099ED49F6A1E32E2C7D69AF8AF3EA60118EC5623448832128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.850{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_stordiag_execution.yml.tmpMD5=C9060B2A072582AB285D1AF263066F43,SHA256=94D848D3A0D4CD921A0C75A6EEBC333F118482922DED3A1995AB00A3EC1B24D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.847{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_xor_commandline.yml.tmpMD5=7DA087B11484B71CF09B111F7CE8BDE5,SHA256=7045B42178D7BD32626A8B876CF6C6BBF9484DA8879D3291B93847717C56C250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.845{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_wifi_credential_harvesting.yml.tmpMD5=D2FB0D3DF537C1559FDCB952E322367A,SHA256=AEA4D2B51ED9FD6FFBF0D1F6BD6814BBE7B6889F507B39FA22F90A944AAD5FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.843{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rpcping.yml.tmpMD5=74FAB1D1F3B633CBBADE3860932BEDB9,SHA256=DF30727D4D7A5B1769053E5D65125854E8D15E388464B8885D74D6CC025A6E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.842{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_snapins_hafnium.yml.tmpMD5=AF9818000EFAF5F6D8A65A6F075B64BD,SHA256=85E222756A6ACD79BF4AB5731ACAFDDBE9BB160CB4F499EC9587DA4B5BFB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.840{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_replace.yml.tmpMD5=2D0D268F0288E0484367E2E85836B93C,SHA256=373AD0E3CE0F11E5C7FD9AEC54487747C977926832DFB8C0B5E6697FC318FAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.839{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_file_permission_modifications.yml.tmpMD5=BA3D26AD026A4E2C01A3117BCA9012AD,SHA256=0B8D379027D583C8157695C186A05806F9500ADF3A021151B7B9502ED46B20B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.836{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_asr_bypass_via_appvlp_re.yml.tmpMD5=F4609288BD18430FDC430A07D575E5B2,SHA256=8B6C63A51E02C6EC805DD05A987E0D2406E275537A33EF91B0E0DBFD9F7493F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.834{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_commands_critical.yml.tmpMD5=329F34A0EBFE1DC2C42EECAA1BBDE14D,SHA256=631D968B6980993C668565EB85643857564E1F1CB75435618F0F46FDE7C805F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.830{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_delete.yml.tmpMD5=ECB673F1425BD16C47FA849090E34F26,SHA256=AB76D793B91DE1EF49706E35E1F54CE5008AEAD3DD363493129E185E83C26B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.826{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_radmin.yml.tmpMD5=9270338E0008C0098A2D80F9D8036640,SHA256=C775781D4E8DBD8989E770623045BF3BC5452E89B6940E92A10CDC41567ECDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.824{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dll_sideload_defender.yml.tmpMD5=04EC22E7E3373D6F203A4C488D178364,SHA256=16CB6F006F0609D4E22FB4CDB8D9B064AD177363891AEA12DD9682E00C097BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.823{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_chrome_load_extension.yml.tmpMD5=B6D8FC1DD10E65EC83C3619CC3347657,SHA256=ECE8E1017150D0705404C2F8968DF4202C8B8DCE674955A75DE7D60FAD815041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.819{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csi.yml.tmpMD5=B0DDDCD876B977AD8A096519854DE79C,SHA256=2DD26A06F064EE89CE39AF9505ECFA07686056F69A10CB12FF7420974D0350E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.815{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_expand_cabinet_files.yml.tmpMD5=115144D71FB723525E4BADF81280E9E8,SHA256=4BB06227C484445EB1410CA9DCAA959AB9D944C81C355D6FA769B124F4BE2494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.813{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vaultcmd.yml.tmpMD5=A55148466EF632E9AEFF5BCE6413FF59,SHA256=6085424487C8B4FD89DDDC187D4F4EB162DC97994CFD5805F9E6DFB1C040D021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.811{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psr_capture_screenshots.yml.tmpMD5=5B181493C5DE7818D48EE8918705DEC2,SHA256=5A14EE9B9EEC2B91A625C71C1A696647107996339D6E1848F66A2798404A4194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.807{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_delete.yml.tmpMD5=90DF40CA43A85C15DBEF6341D77F3EEF,SHA256=59AA7221144DE3FCE90EBCD12F966CEF683FF8D57BFE6F68554D2282C97CB229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.805{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hwp_exploits.yml.tmpMD5=116DBC9FA8C9C2EBA1BAA20F817DFBA9,SHA256=598A010CFEFB7A41948D41F1EFB2F55D560870C30C4BB4A39C25EBD3BEFC22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.803{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmstp_com_object_access.yml.tmpMD5=292B240E16A83CE4ED9F07E922B5DBCA,SHA256=A02A2CA92B885D6B64F4C0EBD62A0E291C95126428BC45557DF0B4A0B50BE676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.801{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_encoded_iex.yml.tmpMD5=2292FC4D31EA9935C439209B1BF9C637,SHA256=126A2328CF08211C5DADA1168F8F0AD2979696D6F455B5BE78763D02FF25ACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.799{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_adcspwn.yml.tmpMD5=1B13D2E3DE531127637ACE37CE482B65,SHA256=E9367654C069F771C86A9F5384F3A991228BEE132C9578DC1FAC26950F1F9DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.798{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dtrace_kernel_dump.yml.tmpMD5=A879AC46A3E038D402B6CF5D1375DCC9,SHA256=75255EFEA7D813E5F87107C6EF93D3D77C0909571D4FBF65B129AA5BBAFAFED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.794{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_slingshot.yml.tmpMD5=0540D208F2C6FC94B5C3A2432E6A484D,SHA256=C1326ABFE6A70C86F95BE8F4859AE61CDA5C932BD40769F0D54408472430A357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.793{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_esentutl_webcache.yml.tmpMD5=C2336A7C4C0BBE93072651EB7C6CA2D1,SHA256=71D5E23446F8F3EC3F21ABA1A2E16ADE1D531B7E735176B04F5280CB5FF46C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.790{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pubprn.yml.tmpMD5=BA9C22D800F96108692384DAABBC4204,SHA256=0B905E81EB28AC02FDDD24AD4969A67DE1A39ADE1F2D6EEFE9D348EC2F0309F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.788{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_wlrmdr.yml.tmpMD5=F7606CF5FBD83C64751E51C29E34629C,SHA256=46FBC7B8636395E215BF0C2A572D18B5C6184B5FCEEB1109F0DF5F6FA590AD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.787{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_redirect.yml.tmpMD5=EF82029410749B314807CBDC086D99FE,SHA256=C1D96F064C79C75A7F8A32396D7F0F675F76AD3D8AFF29BC660DD6C11718CB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.785{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_import_from_suspicious_paths.yml.tmpMD5=6402E51956EF3E517918A1B69EB04CA5,SHA256=40DE698A68EDAD58A159F67D88D097E1683CCDFAFFAE7F482423D4E18E37320E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.782{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remote_service.yml.tmpMD5=3C15ED189109C37C7767812275CC3C9F,SHA256=86505D72F51148B85FA73C50E538CCF4B36DEF5170E98A707DB7F11123DD1050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.781{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_procdump.yml.tmpMD5=ECD7140E10D3D05249B20242678952F6,SHA256=7C6E50B795954F419DB9E35B153103855AF8545519FFDFFE64C2CE93FF327EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.779{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_eventlog.yml.tmpMD5=C44FCF4D0B80D244E4D4B5797D89DE07,SHA256=768C30FF66D0F0D67D3800F2939D0C0999F3A6E4901ADF2A4F36A562CDE1FED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.776{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc_renamed.yml.tmpMD5=310298D4A5B4FC9CCF07B434BF0120F6,SHA256=58E13A1DACC2C890226EA194F3A58EFFD66661255C84CBAE3F4D9F8CBBEE11A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.775{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrm_execution.yml.tmpMD5=72D1F4984B9A2E018D16E9487D75E47E,SHA256=AD1D0579AEEC192C451B1AB10C338DEC6D1D43A35C835B95A982BFBC4DE7C8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.773{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sysvol_access.yml.tmpMD5=35F61E6D1C30ABE2CB46CB45475F348C,SHA256=A2CA4035E2C8D6637F64F110BFA1B2D171600E7C1BEE5872A9A422D78B24A599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.771{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_screensaver_reg.yml.tmpMD5=64AD123447E1AFD9ABDFBC174B2E4116,SHA256=9C9919C09025B34337F6C5B2B8BCDAAFF2A163E72D2A7E449B1933EE414FFA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.770{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_taidoor.yml.tmpMD5=1E046E8B6D888C7691638E7F63745210,SHA256=18E1D8CE6EDAEADFF402308BDBC2600E48F05F16775AF93C1A4F0067F745EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.766{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_registration_via_cscript.yml.tmpMD5=E2F9A0EB64620B78054B4C35D8118169,SHA256=0ED662288D3D44FB9382A7800B32EE6AB670FD08D7CF294DB56EA10C88224757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.764{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rurat.yml.tmpMD5=25BB2E0B65E7855AD8F4CBA7F486727B,SHA256=EF2299118047309B0569A756E023EEA9215E9AB0F61380C5BE3C640A4A38718C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.762{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_allow_port_rdp.yml.tmpMD5=563747D1E8B0F4C4D4265467BE10D8D4,SHA256=9835BD7FF7BBCB7435510B756D62FC91C0534879A8441C402D88F7A3F948F27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.759{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_pattern.yml.tmpMD5=D078588DAE48388C1ED360A1AD0B7B5C,SHA256=B8AB9593BE4662F570378D62824F8365F7BD4046851272FB5E84513515B4B4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.755{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_discover_private_keys.yml.tmpMD5=4E37A8478561F7EC395AAA8D98B83B42,SHA256=1749A9F102A0466D0C64F12D9F69208A0A869CD95AAAF3535C23CCEBBF97F2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.753{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_copy_lateral_movement.yml.tmpMD5=ABD8B455FEE19FB0FE78CFF94D05E692,SHA256=0359E1D32AEE741D5E62C6619A4B9D0152A2C89B76C4548AAF50E37B21530F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.751{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_access_symlink.yml.tmpMD5=9D64B8D5BE49F1DF0F1554894856F979,SHA256=5B7BA2B64030352431CA3BCD1584D60F4607DFA03813E48CBA504169B1DF4A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.750{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crypto_mining_monero.yml.tmpMD5=7F4A1202E71A56E4165524F16B1BCE20,SHA256=7E065FBBF0C3D01323E62F7AED681E6C6CFD65CA3760BFA3838AC3FE0FB54A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.747{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gallium.yml.tmpMD5=06BBD039A621A1F07A6F4C8E217C2DD3,SHA256=D64D93BC9E972D56CEA22EE67AE1FEC9CE36D52F060374C74053649423EF0C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.745{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_query_session_exfil.yml.tmpMD5=EEA6F4551637BECE05A69B278AE3D09A,SHA256=32DA2051BE3D7C57001C6E3ECB15E4C4B2BD16A4A588535734B46E617275825A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.742{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_set_policies_to_unsecure_level.yml.tmpMD5=151A497874CB3A67C39E82FABBBEB3D2,SHA256=E157F0DC15513BEB37F7DABB01231EEBB1D92580DB29FD304FB18D84A91C666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.740{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ngrok_pua.yml.tmpMD5=2A79DDF6993897609531504DFD51883D,SHA256=A78A99FBB19D93E53F350AD64506FAE4AE3001B01ED1F2B780AF795713173810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.737{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_mercury.yml.tmpMD5=4C2BD31D59BE5F7A6CC03AE4BE0D823C,SHA256=1D169127B78DD1584B5D2F0626F4615B4C598803F5EDB7E9901850AEEEA1BEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.735{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_fileupload.yml.tmpMD5=6EC3EEFD9ED35503D619955D272473B6,SHA256=903850A8443065869479F2D71058A1722A5FF3894C003113BD9B7D24DC79F24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.731{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_credential_access_via_password_filter.yml.tmpMD5=288DBC84F75FF5F4559D82693B547BEB,SHA256=BCF99F0A32381FC8244357BE4BB11E9FDEAA7438223BF99817BDF54BD9955734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.728{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pypykatz.yml.tmpMD5=BBD519F3DDA365EA26F613A7220975DA,SHA256=45C1855D257C1C14393C3ADD17CC4791C320F2B4BAC4EE8DF5F488F941C613DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.725{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bginfo.yml.tmpMD5=DD380AC5F6012CF02E7E12DD5D77B9CF,SHA256=05BF8B29608C85F04FBF423947048F5F87990B51F35580663D31173A990879FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000749588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.725{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000749587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.724{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000749586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.723{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_certoc_execution.yml.tmpMD5=C8880EBAB638426374F55A55D15E59DE,SHA256=80A1B78431D5B4AF4E526B3C270701E505363521ECFA028DFD8FFB7E9718DE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000749585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.723{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000749584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.722{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000749583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.722{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_trust_discovery.yml.tmpMD5=62CA6069C0DCDC26249F512C472D387E,SHA256=39E8C02B5F9559659B4F4BDA4F94C7237253B04BFEF1E55A39EC05C047ACD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.720{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nslookup_poweshell_download.yml.tmpMD5=AAE4C2D7BD17D47F7AA9CFB8E8AEBF2C,SHA256=903626CAECC988B7A39C04FD262776123B3F42A78FFABBBE1DA3B78B4823F37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.717{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrar_dmp.yml.tmpMD5=7E8B33E898B49F5B85EC4E5E32751D63,SHA256=4A26D5A905E3C6908561FB49D9F7F1E8ED9DE2435BC3B1145E5AE17C81A9D834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.715{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_regasm.yml.tmpMD5=382B367E630E3BA0B5503029730C73D2,SHA256=D7CE3FF4076424FD40C1A6A14C5454645823E2318D1F8124EE9C70884D740E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.713{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_recon_detection.yml.tmpMD5=99A264754C241FBE9054CF5A7AF52408,SHA256=33CBAED3B24337D68B222EE360CA0247FADD4B25DD444406BBC80AA9E9ED0B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.712{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_change_default_file_association.yml.tmpMD5=A39D81623B607E82EA7B4CC0BFC7AE43,SHA256=9DFF68F7815FCDF400A9D98F0CE52A9C3C03E3C1E307B7DF8FFE5E4FB1A58B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.709{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rpcss_anomalies.yml.tmpMD5=7B6EC9B1562CFC6789C9649B840BA158,SHA256=AEED1AD22274561F307CE3CBBAA612FF3D449FB5BF144BF355B00A49183955F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.707{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gamaredon_ultravnc.yml.tmpMD5=FECDB4C4485FBB3008A58ECFD1BBF394,SHA256=44B4D0AC2FC6C6D29A268A305A3F4B12C00F7F8B16A908D07DAAF994D8731CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.705{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hktl_createminidump.yml.tmpMD5=345C1CEA183C74AC1FC67399AA2E3986,SHA256=9459E419D0065D7B0264400AF73A6C204974B2CF38A375658912780278B796FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.704{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msedge_minimized_download.yml.tmpMD5=9051BC680A26562A0AF746EEF8282BA8,SHA256=3CECA3D34E58DC46691449B6522407756210027DFF3AA030B2842BDBAEA6FD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.702{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshta_pattern.yml.tmpMD5=C4BA3A0DD4E605989A1FC37C85C4A622,SHA256=DCAC60AB90CCF2EB739811FFCE293B501B92E41DB908D134156B92CBE300361B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.700{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_sofacy.yml.tmpMD5=1EF03458B82F86FBB545AD6BDE5C24FE,SHA256=29DF160C2184767DE4044E3043C59F5C9D221D88AC5F3FE53DCD956BD5AEE8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.698{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_persistence_typed_paths.yml.tmpMD5=EE1C2182B481B04DA027C01A7D984C2D,SHA256=CAB2DDD2E68AD6076226B4BA258F3C7D3647B007CAFF86859917D40546AFE95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.696{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_new_kernel_driver_via_sc.yml.tmpMD5=A8DCD78D1C2928BAA7C5A54B9250492C,SHA256=F639ECCFABB674D38D4C662E132F597D914AE09AE9D8C31193CBE1442CE0730A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.694{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_termserv_proc_spawn.yml.tmpMD5=376A7E7C731C1C885BCF70CF8625D2DC,SHA256=404558E1C680303A597ABC3F6F5C13A15F5556B2136D3F1B6DF43013BEEC0E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.693{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_8759.yml.tmpMD5=19ECC329A8467AB3F1A0DB72BBCC6CAF,SHA256=6C8EF8ACA98242826C919D601E893F0B5F7E2022C574ADA1846D5B65A496C9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.691{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unc2452_ps.yml.tmpMD5=E48FD9708C34A74F27DAB71B3B781E41,SHA256=1E3A355EAF1CA4CA2206115B80DD12E6EB8691864EDCD642AB42E6F867212D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.690{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_hiding_files.yml.tmpMD5=1271515AE266861CF6D8F3E3F7BB6CC8,SHA256=622A45737C145CA8557296139FD5EF87B406F6F23233C8800F1A34B2C9B01F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.688{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dll_sideload_vmware_xfer.yml.tmpMD5=938DD24B0B190AB42D9635682230E2E2,SHA256=A1FCA474455A7238686CF889F2BFF5AA3A4EAEBB39E851D4A1637587EFFCDBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.686{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml.tmpMD5=873141698C091DB14AB4843AAB40BE11,SHA256=3407E0713D736327C8A67984B696347107D6DDE44668F8C57102D5F29FEC13FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.685{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_vmtoolsd_susp_child_process.yml.tmpMD5=9865DBE067E42195C2477918C475AE91,SHA256=80A928AE4AE0D850DAED3FB0DAD77AB117AAD6CE12352813CFBD8A617C30CA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.683{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_register_app.yml.tmpMD5=69F152C1DE5887BE25C52555C7FD1406,SHA256=1B3FAE174A49946C2CC0A800C64B9535C043CDD72D72467939931EA56E139AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.681{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_system_exe_anomaly.yml.tmpMD5=F4D438893C18C1187B11644C3517F19E,SHA256=E1173018B522EDB355F2ECF7A80C1F41BD5F0E260862251883F15A15D19FC859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.679{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_vsjitdebugger_bin.yml.tmpMD5=B717B1C54D3ED6A948258AE921494FE8,SHA256=EDC0533B5B57BFD3A1EACCFAD3C6264109FA4C5E9106A5782536DD3561769E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.677{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_commandline_path_traversal_evasion.yml.tmpMD5=B0327BDEA3B8C3C3ED13BED9EB5DFDE3,SHA256=93AFD99E444B5720CE9AF49A35AD3215407E70D543358AC90323B6B8EFA84E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.676{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_new_service_creation.yml.tmpMD5=B09824385775BAF2E4C0F601EAEF72EC,SHA256=9E5D11664C91779CBCA1B854B467AE2BDF5314BE0D018CC0124496A224EB84A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.673{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskkill.yml.tmpMD5=215C66C440AE0F3A65D1E3A90CD16D9D,SHA256=45E8BE1C19FC1D4B43B6791934254FF58DBEA70A31F26678CD7C438863705839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.672{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unidentified_nov_18.yml.tmpMD5=45F0B8EFA055E2547AC79D029A95FAC9,SHA256=B4CE20073572D3015A476A353253F9B210C2974A0C236690198D56ABAF3D0959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.670{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_psexesvc_start.yml.tmpMD5=A39B46C67694B11D5320CDA9AAA3241E,SHA256=C2CC2209C878A84E6D05E0B4B1D5E6F96BCD4401A56C203138FD3C723D964158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.668{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_disable_service.yml.tmpMD5=99F48758CDC93B0F281502A92FF55B05,SHA256=0CBEA4799E512FF1A4ECA46F4A9E4EA4CFDB5DC334AD44F319B7D1D241ABD7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.663{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF7883868EC64471384FDAE807260E0,SHA256=05ECF8F17BF846D68031862BC7E5857EE8D2B6776ACA9D0FB493312EABD75BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.663{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_special_characters.yml.tmpMD5=9D30C338FA81F6F2A211ACC12A4D909F,SHA256=15E18784D1C4FE67ED9F8AEC859017887A1104EB5271A900BE049FFF2C7A3753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.661{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_rubeus.yml.tmpMD5=08074E36A63969730C2F6EFADE60030F,SHA256=22025DB81E19B49FF2C8A910A2CBAC9A0E5D1F409BDEDD82EA5669A681A32745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.660{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml.tmpMD5=8ADEB3A19699303FCAD17701463307FA,SHA256=5FE95AC7442A30D6D61DF168556309853A2B2BB06D6354C896D2BE1E05B9D2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.658{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_security_product_uninstall.yml.tmpMD5=A23E0F0D6B4CEDA3303F60E03FEAF3F9,SHA256=121D84C448D9E26E6E9551EEFB1B8218FF78B729C0B16054E7742AC9B0EB2957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.656{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_python_pty_spawn.yml.tmpMD5=5F86704912F3D49C3A6699839BB6BEB2,SHA256=37E85594F88BF22C05DE7567F8525AF10FA74E3FD208400BA2B2E431B4DD4D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.654{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_devinit_lolbin.yml.tmpMD5=BCAB3CB6A60B484E92C1F8A7C57ED30B,SHA256=1E66ADD0AEADA1E500A53F5D5101D23223064F122FF4523B4E88F7FFB95BD4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.652{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_zip_compress.yml.tmpMD5=D8D5743360A451D77C513FF2F94AF1FD,SHA256=3D6D8662697B1CC42AD59431F8AB640F719317D7C6C1962A61654B319A217507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.650{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_iss_module_install.yml.tmpMD5=98C80C4058C84CCDAF697286FC850C19,SHA256=ED38A4E093B4BEF0F7081EF0191E7CF5F8C8E1755508CC1D3376A8B9704986AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.649{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_browsercore.yml.tmpMD5=D0B778753E710E78E68DCDBB46DF5F8A,SHA256=226E55896137153AA4133849E4205E245C46C1827B2433DE3087609389F587B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.646{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_etw_trace_evasion.yml.tmpMD5=09FC2CA220FA44AA10490437DE0A4F2E,SHA256=33C343CB2935BBD627A63C94E8E3D9C4B1B97CD85C36ED787E404608171C57A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.646{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_advanced_ip_scanner.yml.tmpMD5=81D32EA5E891222841496ECB15BF0FE7,SHA256=57ED3F52D13BA99777621478A48581451185FF6802AD88A87A2BCA848F00967F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.644{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_useragent.yml.tmpMD5=62E6CF83C9809D8EA30149292CA864B2,SHA256=E43ECDEDEC0F1F4AC383F7B2290F6039F379D9F54F1A15855D836F355C0E46DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.642{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_read_contents.yml.tmpMD5=04C4BB0FA620CB2D067D9B9B4836ECC3,SHA256=40BDBEBB95E193F0D0ADBE6D03CAC68E3C300BA134BE1F82C9C374F2339A9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.640{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_winpeas_tool.yml.tmpMD5=8D0E4A485B17F7ABCE6AF01A8F0E35A9,SHA256=3AA1ED628BDDADC20D39EAE7CB497FC596134561BDFE2D1A92894CF8778EDB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.639{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_recon_network_activity.yml.tmpMD5=37860051B35DBC4A1B6949E0D01F7AD9,SHA256=8F155E9B93F664569B10B38C904045EF994490EC4C99C421412A8A9351524EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.637{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_once_0000.yml.tmpMD5=42CF51ECD409E4D2B52A326F0288D95A,SHA256=6F2BB95F614007ED3195FD680BF60C8E95CB030A64785DBD1A1529F0BF765B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.634{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_dump_sam.yml.tmpMD5=7C649443B36E079F6600E54F82F448E5,SHA256=D8F205195945DE1E05C0C5923B762AADF1D910A482F71F974649430E79C58F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.632{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml.tmpMD5=A88264D27B3320C41ECA8A7CAF2AA70B,SHA256=2B4BF21983472D185723936D5A6C0C902021C02ABB63DA6B0ADCF4FA067C8FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.630{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_backdoor_exchange_transport_agent.yml.tmpMD5=45E3E1C67780227BE97654E13679DE6C,SHA256=0C98640351446FD1129B32B596D97F9DA56F6C1E1E69C22F4533D55CB0295D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.628{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_webclient_casing.yml.tmpMD5=EA14922B568081E626692A744C891070,SHA256=0E9A8398A29B3312DC6290BC1E2548A7DFB18C64459C8F6072CDE741AA2C1184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.626{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_iis_module_registration.yml.tmpMD5=565C16A2C7F0AF3A967CD79BBA11188A,SHA256=9A9559991C4D9D157748DC2D63013ACF011A8C30A2E3FB79873B0468EE7A52B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.625{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_nmap.yml.tmpMD5=1E0C964219F1DB72860F2E80E89FC90A,SHA256=2AADDB656BCF554634AA2655C917671716A5435D1FD5DD8EA8C22B04842FB285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.623{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rundll32_dllregisterserver.yml.tmpMD5=F4B795613D2103D5D47C2C069A88BE41,SHA256=CAAE4CA338827F1B719DE028EA3EB41CD330B70B2A811974059EBF9525819AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.620{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_certutil_command.yml.tmpMD5=E9891E6D3F55AF5147A117A2194CC11F,SHA256=63AABA6883640393573D4DD4979B7F5AC9FD62AC1E647325265CDC1B40FD0A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.619{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_activity_apr21.yml.tmpMD5=F829E8D936E33FF9519A763B72258FAF,SHA256=F1E9C0C3F03FAF0B7213C348A50C0728255B25DD8ACF744EBB9A399E9C1B40F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.618{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_convertto_securestring.yml.tmpMD5=6B68D2357666A895595D6673DFC391F0,SHA256=86F517EE0D77903B26E85921BA627AB21AC2638A9042981EF19EE3F9C8B4CA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.615{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_visualuiaverifynative.yml.tmpMD5=5D2C13E91D0D2B1ED758E18D49EB3517,SHA256=1BC500ADA16FB8CE06543847FFA6A15F5814C531154CF06B502D03D7F13F5CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.614{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_encode.yml.tmpMD5=FCE098210995F46195A1E0B49D74C8E2,SHA256=3023980C94B4F3112FC95F812E2AB4479A9ACE56E4D646356915839C6F3B6163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.611{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mstsc.yml.tmpMD5=91DA135B415CBC4B1A4E7E1608D7B9D7,SHA256=14452880D22A358C9C8A7B9DF5BCE5F87DC3558D3F66AD210B772CF82AD9B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.608{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_protocolhandler_susp_file.yml.tmpMD5=83BC8AC04868FD1051F91B2AA03A67DF,SHA256=780479584D02E5076440B70D76190F4BE318CC8B9B56789656B45D7055BEB124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.607{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msiexec_cwd.yml.tmpMD5=F2F598137A16AFA8640F7649C6018C70,SHA256=756409CE3685430FFE1B9E9FC747042B296F0FC86BF111506C1A05F39E5855ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.604{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_targetfolder.yml.tmpMD5=ADABE187074E8F4B90DF6C8F4EB9209B,SHA256=0CABFD438078049E76C65503D69732A32BFCA19F8EA7D227EC7C9D3920588AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.602{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_email_exfil_via_powershell.yml.tmpMD5=9EF4FE92D7DA042FC8842E1B5F8688D7,SHA256=F68FE182A7E778E157A67536614D1A4255D266CF41E79D033526B7C610405441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.600{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_stickykey_like_backdoor.yml.tmpMD5=A384529C3FF8B6D9031591D17A8965A8,SHA256=4CCD19042AF56E5901E85F345231567BB84FC8AC8CC556206BA49385A511FDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.599{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_diagcab.yml.tmpMD5=58593B66D5A41A6339F5F1390EEC82A2,SHA256=201556F6136ECEDFC0D0FF7DAEEB1AEA3ACBE5BF6B3135B47F5796A751948D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.597{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extrac32_ads.yml.tmpMD5=78334DA18F3B56558CCB5A59C3104F39,SHA256=B855C3EC45EBA5C749CDD337A511E46333E7802E45DF9875CDD76CBEEAE7FE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.593{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_copy_system32.yml.tmpMD5=55AB35471FB4BEE5E5D1B5A126AB3436,SHA256=ECA75E5C46FBF3A152A56EFC1BFD20A3F3B9530278D6152C41C689E8EC2424EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.591{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_emotet_rundll32_execution.yml.tmpMD5=12ABC287E798DFD4D14C9C2799CDDED7,SHA256=AD1A1919FD77BA2C42E76DAE8A8C2C4DC5F48F06B77FB688548B535F70FCA063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.590{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_bloopers_cmd.yml.tmpMD5=8846B239CC9C7B8B3F45D7478D7D2DF7,SHA256=44A8734716414928E7C331F1B95751D5D827592525CE7AA8F6391F3FE0E505ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.589{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_archiver_iso_phishing.yml.tmpMD5=9122746EDC074A5E4620E27EA0210280,SHA256=9B2972FA03DA58397213DAFCAB7AAF77FB9D6EE9BA959A0F46E39E36EB920EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.587{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bootconf_mod.yml.tmpMD5=F32B8A02B9D032C0A763EF7A835BCF44,SHA256=36D1EDEF078EA6B61D7C289FAEDD0EE1A5724FA248485395378642314CAA8CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.584{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mailboxexport_share.yml.tmpMD5=04DE5D83D5D29F2D7C358395682F021B,SHA256=C784CBF656CED059B700B965B86B5EA1C2EAD56CBCEAF27DF25A777CA8B6F0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.583{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_appdata.yml.tmpMD5=C13CD7A2C2E2235AC996CD9F80850074,SHA256=FA1D37E99390B25431B6C0DA39761F86471C8CBC116AB2A38AF006DABFC895E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.581{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nimgrab.yml.tmpMD5=DB2FB8516B883CE8B9E31EEE1D1924AC,SHA256=49A4964381C1A3AFECCFF68F5D308ABE2E78F4AFADE599C9293020FAF772EA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.578{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_encoded_param.yml.tmpMD5=29352C3B13C8B9D61AFB753FFE5E97E7,SHA256=668291BAC3C2EA0F79BDBF1E22761101ADD1872CEFAE2A1CFD88E82AD9A8DDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.577{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_spawn_exe_from_users_directory.yml.tmpMD5=1CEAE80A737500477A336F09C66B6C57,SHA256=05EBFD7C86BE8B413780043710EFCDF73B0526A3CD129879C08C4813D00D63F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.575{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml.tmpMD5=2DC61B55D1E22EB69F2FD0A84B590D97,SHA256=63B1ADBF29990AEF668D898112C974A806E2391EDAB2A599888CE896596E0286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.573{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cscript_vbs.yml.tmpMD5=B997777ABE2CE87405662F94E5C7D7C6,SHA256=5B899BF585E2099FAE97C36A5A1FA7F2EEF699E5853445265ADBFA40A52ACD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.571{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_msconfig_gui.yml.tmpMD5=E5B2F22F198B6D603A8D6D48086AB422,SHA256=4CCF8CE006A00267B5853B01A4F960707B2134CB597EB61EBD90484C898C3627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.569{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml.tmpMD5=584C7FEEFBDF899CCE013AF6D579B481,SHA256=54D5A6D8DA2534F9B7E95CFE368EEE34E975577EAF8953531E92E6828B2C6E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.568{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wpbbin_persistence.yml.tmpMD5=2EE9B6BF209DAD3BF5F254663E2139CC,SHA256=888A361B458866E6AB798FAA71F5751BC9BCDF4EEADACB521B26DAC9514E2AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.567{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntdsutil_usage.yml.tmpMD5=5852C7042F7EEE1A2CFF81DAE71B9B1C,SHA256=D688A03619065B670B9B6D3AB582124AEC008699B5F217868EAAAD1B4B45C36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.564{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_control_dll_load.yml.tmpMD5=A527879EDA4498EB7E178C41D543D4CE,SHA256=2CA7799C423E9A7CB55CC190A4CBEB746D3E5A85E000A31969A4FA115032730A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.563{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nps.yml.tmpMD5=836E843D91A13203E062A3B82B2EE0AC,SHA256=A96BE9539A94DC9D0081236E9A70BEF6C705902EFEF6DA2D9DDDC94423551AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.561{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_susp_dumpminitool.yml.tmpMD5=47346FFB2D2CB8DDDE751C86414A54AE,SHA256=488117A8B379333851B7422C22ED9EAC4C3045B90E0CAE1A75F0A2BAB74BD596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.558{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_wannacry.yml.tmpMD5=82D31D57737736CD33A2DC6E8E1541FA,SHA256=952B58612FAAAB2FDE02C6D37DD8A536C24D461EE83F4C94A282898F4C03087A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.554{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_te_bin.yml.tmpMD5=ACE2A3E59437BA291D26DF1CC48D666F,SHA256=F5828B5B711B0964E5945716084A7B35F62E29BAA5996269135CD77299EC5304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.553{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unc2452_cmds.yml.tmpMD5=BCBF8F1688BC373B5FF855504F6457C6,SHA256=7F1CEDBA00641E2BF43B1A73D0BB9BCF03DCEF94C6AEF645884B9EC20B30E113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.551{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_multiple_susp_cli.yml.tmpMD5=D17A5B96AC157F974397C887C600C449,SHA256=6EC916A7B121FF0BE3242C13F678B2246A33E6E335A09E8ACCEDE822678471F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.548{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_squirrel.yml.tmpMD5=4B1B4240BDB48A28497C6D633ACC978C,SHA256=442FB95B521C66CF25B72BD9F0E9CEA7BA15B42EB25C05FB94FF9799A448EBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.545{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_bear_activity_gtr19.yml.tmpMD5=83B07BC821FED28A201D36FE9DC20657,SHA256=36FF6E8AE9BB7924C91F7735E46F6D2414B47559AD37A9A31C67DA3C2FF3CA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.543{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_ie_features.yml.tmpMD5=6223F0366CC4D841660A857E67A692AE,SHA256=7F15013D0226B47B6DD980EACD95A9614E63CDD5F4B6D9FD40094686C96BFC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.541{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_invoke_susp_cmdlets.yml.tmpMD5=08E211DA6089442D156FA8D44AFC2A3E,SHA256=32E2DDA01D93B360F413688E76364612626030862C84C57D46FC7E9C1BD5BDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.540{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_spawn_shell.yml.tmpMD5=C2A353C6F76FA4AA2B8517F4A184705F,SHA256=0983C313AC0E342ACCD6B87C0252B7ED04D911485C5ED7F7F27274DE728B0F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.537{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_raccine.yml.tmpMD5=E0EB49D4DD7F780EEE8A4D8BABF81797,SHA256=01BFFBDDDCD7C55EC827DA9A149B1FAE47705A8C75F7BA0FA947A4D1A5A14FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.535{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2019_1388.yml.tmpMD5=C1312684A4B1F4BE7B03726B411BC96E,SHA256=2FA99163AB88505867A9BAC00C489B7734B669743895FA791F3E7748C4C08A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.533{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hh_chm_http.yml.tmpMD5=F58E1EB05D1381E86CE42B9B1A1D1F86,SHA256=877E3104B4210F3328B656386A5965952E124FC1FD4E578D374F5CE40C7A18A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.532{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340809B5664676BED7EF425D51408366,SHA256=D45DBDF1286248047FC90E80A95969018A022A1D674EF406332F5E1204264499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.530{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_notpetya.yml.tmpMD5=4BA176667148148C208DA0D33AD3FA1E,SHA256=8894BFDDA6AE38865319DEF49BBA2EFA5136685FA5D127609F7B3FD61D10B470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.525{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_icacls_deny.yml.tmpMD5=BFB9DFB0A92EA51CADB314EF3D8F0C6C,SHA256=B130806246BD1876FFA2121952D5ED265415D6554D65A2B19A6A9CB621221300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.522{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_utilityfunctions.yml.tmpMD5=ED943809B306E7FE7391126AC2B2790A,SHA256=F8C331C11060A34954F999B62103B814AF2F9F4E8EF0E27887B55ADF323BA369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.521{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdelete.yml.tmpMD5=78E3CFB589D3AFFD7F0AA34CA8E13B65,SHA256=C10AB127EB89A6951EDC69EA4CD516BC994AA495B40290C90FE0E757E9C41B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.519{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_qbot.yml.tmpMD5=636508CC847BEACCF2F5C11A4D759DE4,SHA256=36DDFC76A8164372778061EFD850C3E0D68A9E04FB63948DEBF1EE3FC80AB87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.515{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_codepage_lookup.yml.tmpMD5=502F5D2ACBE7D327BCCE2431B23BF27C,SHA256=6E8CA94B055B7FCE0FD3B09BA83EB39DB726337B439FC4E79079F1B0D77D6612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.513{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_interactive_at.yml.tmpMD5=625BD92116C34B6BC114237A47F9B44A,SHA256=B04BFCB61284B2B67794241A6DABFBBAE4DB125B31C5D40558D17AFCFEC88397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.510{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_listing_shadowcopy.yml.tmpMD5=FDAFC824B06412B0C206E110A973455B,SHA256=943685400D5BDDC42B8A2C6F48C6730C3EA7ACC1C72F5EBBB95BDDD9289E6F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.507{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_powershell_session_process.yml.tmpMD5=2063D5E2AB7CB3B32DC3A8E002B321D5,SHA256=F9E89B06377865C7EE7594E8883528E7922CA8928732FE7C8F0BE918475F848B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.503{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pingback_backdoor.yml.tmpMD5=95A9CBBBFBC6F9266C092C488D94663C,SHA256=22AE86D4299FBBA5C416AA0C4D1E939D64DB29DB7D4C28176C0E987D44EDDDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.501{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redirect_to_stream.yml.tmpMD5=13007DBE0FA6F8D615FD288589C11A0F,SHA256=098F3A3BC4144502557CF4960152B6CFFBEEA840AED903CA487715933BD430E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.499{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_by_java.yml.tmpMD5=BC0BCA8EB83FBCD33180DF6E14700D42,SHA256=0C14F2A08BAC6363CCD1E022DA1C276E6EEB737E3508CF337BE3DD43A7C00237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.497{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_presentationhost_download.yml.tmpMD5=41ACB33AC8606F4393D17647B46FBD93,SHA256=C8C63BF56126A0F0314C7D7512298934D84A457E040D0512C6AAB6CE092A9E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.494{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_network_listing_connections.yml.tmpMD5=816EDFB61F66E78F71506F700B8B251A,SHA256=52B6FFBB1F6E9FB6F1AFA69C8BEEA7116B4D7376D404172373E9C1749A238B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.493{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pdq_deploy.yml.tmpMD5=CD1E81D543D44BFA99B050A0F08C9A74,SHA256=43BAFF6F13ABB3E79A50AE01AF0C94C221D4566CE11D7B97F31A8C759FBB6AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.486{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pester.yml.tmpMD5=DA05FD87C776C6460AC1D83DEA1C24D3,SHA256=D55C9DDC9D372ED5C04C7A9A8934AEBF8182C50384381E57715A565A8885C029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.484{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_computersystem_recon.yml.tmpMD5=731991181A2CE4BCE9CA434BA5991099,SHA256=C8CEBD5FB0A94E70BD1B5C0FFB9B4882D412C55D6E8C5098563A17BB3050638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.482{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_network_command.yml.tmpMD5=5A3F2EA0BC1280C892993A67920E9387,SHA256=A25121957728F958291AF80E72E4A72DC7001417D85C458F0CE8551FECB8926E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.479{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sharp_chisel_usage.yml.tmpMD5=E536D7FA483609B690A42AA8B0A41FA0,SHA256=02388A08C0B3E0B763B7D74F433DA679BFC25D874D757F739956D430BB6558D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.477{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbins_by_office_applications.yml.tmpMD5=51F799D42D14DC88064AF4EDFD899855,SHA256=C71B8F394618F976753922A3691004243ED142B3DE1D9D0DEA552FD66906FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.475{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_instalutil.yml.tmpMD5=3970025EAC826DEB90B72FFF99B80231,SHA256=E85C150A8FCA87378C6001964F14C93F9B83FCB7B5FC4C9B9F2BA84AD07F590D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.473{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sharpview.yml.tmpMD5=FCBA6ECBEC603A1CCDD9845CAB6B1F8E,SHA256=6B97CA1509BCCADA7A11B3405DF71BE6DA85EB77C685DFC5F2719D9E7C418ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.471{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysinternals_psservice.yml.tmpMD5=70530D397B4B585FC4D46F2215CD4A37,SHA256=3837A58EDF4DFB51FE0E0B6E9C20BDD0948882F6C6EE77BCA104829E337C3A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.467{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_plink.yml.tmpMD5=E471B0A153ACA6F66BF409D54DDFB7ED,SHA256=2DF6A7D2F4967B156DD615037AC901BBA7A4A64557A080898673C3A045D9F50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.466{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_installutil_download.yml.tmpMD5=D609028E23ADEC57214BD41B55747956,SHA256=4D523B6AF3809DA01FDB51C2C5F62D137A3FC86B36A28F8E8D7275B424F2EE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.462{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_10189.yml.tmpMD5=DD8AD278046EE82C5A16B47D80C27FD0,SHA256=52DD58D2748A98C13BF667F72F3685C8C94BC5B87119BF2B4D989A5419D26D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.459{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bitstransfer.yml.tmpMD5=DE7AF57F7B2AED289DC13CA59EB7AD8C,SHA256=7247A46C8EC1450BE3075AFA563607C8127EFE085B3CB887456607469C72BA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.459{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9283F01247C8A0DAAD7B3BF59BEE7D72,SHA256=6EA5239D3ACB6AF01C6DBC19EDB63CF88CFA4A32517BB96FE5CBDF6A575B5953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.457{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_user_discovery_get_aduser.yml.tmpMD5=282523F422824F950EFE88D9039A465D,SHA256=9665AD4B1F5A7EF0EB1C4E979B0F7A950E4191BBCA2C7601E9606ED249A70790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.454{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_commands_medium.yml.tmpMD5=982F32EB3854A6B3318C2FD1CF87A59F,SHA256=68730C5E7911092AFF51694ABB4E844B31B5E133CB98887F0CD0E2BE7DAF7AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.451{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_dir.yml.tmpMD5=5A5AF3CE5739FD514B51E0040232CE67,SHA256=44D1FB382ADFCDF1DA067B84348ED973DD6784D755F5F85765237004E1B73DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.450{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remove_windows_defender_definition_files.yml.tmpMD5=D1F8EE33274E9ABBBE307F68B472D406,SHA256=812CDED01816E1B13AAF506E53FB16A8832EF288FC6480C9D00030B4583233CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.448{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wuauclt.yml.tmpMD5=5E43D86B65F6249DE82E4D9AF9A85CCF,SHA256=FEB12FE8E3F8B19B66CE3CE43B240A4404BD1059FEDFD3D87EF39E88BC1B4238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.446{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_execution_path.yml.tmpMD5=149FFE439340D611B26CCC151EE39D13,SHA256=F7D550320015A675448B9940CE72985ED7ECAC8E1473AB4A2254EAFA816A3012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.444{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_use_cli.yml.tmpMD5=CC157AAD78CB32016798B3E4BBD8DE1E,SHA256=4F03D0E16FC67FC68299BBA01416510C29431D7BAEF4ADED9D1DE8D3FE30C8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.440{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_sam_access.yml.tmpMD5=CBF1681179C78527508962C1F6FD5B01,SHA256=86C4A0CA48462EACC010368C47ADEC7B10951321AF50A7D74139B175D4E95A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.438{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_enumeration_for_credentials_cli.yml.tmpMD5=D63DC49DF9169783F9C5CEDC6F7074C5,SHA256=8BB97C3E825729CD1CC447410F49B68965BF0C91B758EC14DDFECFE058FE2704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.437{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_procdump_evasion.yml.tmpMD5=D0426A45CFA69B0BFA39285C8A0E8310,SHA256=DE9BB8B1886F3ABF96AFFDA35F4BBF9E8FD39215100626ED6EF0F374413EFE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.433{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_from_mssql.yml.tmpMD5=710ABD70E2857DE113102ECBA1D54CE1,SHA256=2D67222137D4E477494A51FA26D636E14ADDE022D8ABFC20B731E2FDE71ACE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.430{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_runonce_execution.yml.tmpMD5=1B616419836FC224D041FD678795BB8E,SHA256=18D9962AAD8ADA2B8728584D4228EA97597E3A0D04D3E67878D2DFCDBA4C75C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.424{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_logmein.yml.tmpMD5=CF1AFE8B25F246260247854E5901300A,SHA256=E51A86537A409A104AABDC62CAD0DB0C1F12C1A82B0CFD5A71F34C99B1478C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.423{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_svchost.yml.tmpMD5=5BA71E001628F0E3D653F2207FC01FBE,SHA256=1B2A51DCF7863F515C8DF1D577F23CA1576F43178C41A8084D15A8FBCAC85DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.420{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_loadassembly.yml.tmpMD5=C1DFF48E897EFF56DE068FDEBFF12EB0,SHA256=A5B1D1EEDFE9C06947B833D3B743F4FE82DAE7E9971272B192E30867BE07470A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.418{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lethalhta.yml.tmpMD5=766F545646BC6E8B3C902A3975D459C1,SHA256=F532C2339549A6E3CEB86F3B728D156AF895CDE443C59C0C2A9DFB93434D3B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.416{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mimikatz_command_line.yml.tmpMD5=738A163BEA7C663113EBD1F669FC3ECA,SHA256=AFCA51101211060AFD8A0403B6B57544F7829F648A13CCB26F315BE38ACC8D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.412{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrar_execution.yml.tmpMD5=A5EFD62415486FCEFC8B2A19BAE9CF24,SHA256=F49848C2AFA92981D1117C641F1AFC28D84A64D0E39474A62EC02078F4B3282E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.408{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_path_use_cli.yml.tmpMD5=0650BDFC17355E947AE49D4059888B92,SHA256=7C2D51F94908CD24BBAFBEFD77CA82FE42631C9DFE279B0196080BB10CBD665D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.405{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_snatch_ransomware.yml.tmpMD5=1A2D53CFD056C90E6DA3078D356110DD,SHA256=1A2ACC5A7F8C6C84D2BA5D66B5FC403FA347F5BC5551270CC13F6B5B56A0867B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.404{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_creative_cloud_node_abuse.yml.tmpMD5=DEE9DB6F891398CC10593BB263F561F3,SHA256=E185884607FD28C9D317F45BC695D4E8EA4102A3271C1F69B6CEB48D0DB0AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.402{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_silenttrinity_stage_use.yml.tmpMD5=3FE60422F00EFD152C4463CBB027E508,SHA256=A4E18DE7D7F97386371294A8EA76475E3455E7750E06CDCD5E4B3127B52F8ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.399{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_file_characteristics.yml.tmpMD5=186AE19F678CFD41FBD7A87DDACBC261,SHA256=51B42294C01B575485D770E7E2134346D4048B96FA3AB07BE785BD242AFBFC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.397{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_user_add.yml.tmpMD5=26D3506F245BF40DCAAAF0056F0D3907,SHA256=6522F5F3352C85C4F483E0ED61D5E01FE0D808014D1798FBB524C3F5B24168C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.395{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_ieinstal.yml.tmpMD5=77370869CD9EB3601A9C6870F4D02A39,SHA256=0DA49B4376AAF7A46E6938467F4D4B02660C460E89FEF7747D3EA338FB72B7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.394{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_unc_path.yml.tmpMD5=46235F66B662599AA809242C5BB2EDA5,SHA256=118727DC40AFFE5D7B237C0B2785CDEE905FE37721FEA08D67983EE43E60B491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.392{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_grabbing_sensitive_hives_via_reg.yml.tmpMD5=5A999E8827293F52909B6A06E26632A4,SHA256=8A12C5AEE60D1E88E7D6750C6B452C16FCB7C0085CD51D9A3091FA4A4363D9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.389{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_diantz_remote_cab.yml.tmpMD5=2AF28E961725F2AD0EFFCDB40A122199,SHA256=2FB32F6B22A7D6B81D1B393478C41D0DBA4E6FE85553640BCE6F832E84F55AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.384{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adfind_usage.yml.tmpMD5=ACD3BDE1F2DC3F20678B3C41022D4E63,SHA256=16D483909DF95B1C650C3B9BD10069FAAC2F598E001CCF58CCC16179C93B7983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.382{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_csharp_console.yml.tmpMD5=FEB96CBAC05CF9281DB7D6218DC34012,SHA256=C1EF190142F125B5D5B5811F1F3CE9BFCCF08F27A14D73EBA7A28E1D35B3021D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.380{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_jusched.yml.tmpMD5=1E00FD600AA5CDC7ABF2101FEE66F6E3,SHA256=CAFAA712190E47EB85914ECB60FFD617D8762FC9D31ED879CA3E46EC094D22CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.378{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami_as_param.yml.tmpMD5=985E37CE3C9E0553F225AEBEFD2AE6E3,SHA256=8587031FF383C683C757BB73F0DE94DC5A77A29F392991949018B9049608A656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.377{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml.tmpMD5=5E6F947EDE1EFEE37B13420FFA06B403,SHA256=456870023127E742009DA2F292DD5DB773F22FCE22B5765A63CA3DC61B606ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.371{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_always_install_elevated_windows_installer.yml.tmpMD5=7628BB21E862413926E8A2811EA95471,SHA256=7FC12B47543922DB5E474CA64F0858AB385E107EEE5FD260952B44BCAAC78BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.368{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_sourgrum.yml.tmpMD5=412B82541F104409CBB862D16440B069,SHA256=46722545052596C29EACD7959AE0B6FF5379C1EAFD8FB322BE295093344C6EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.364{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_winword.yml.tmpMD5=0453E80F0644619BE7F88F05557C6467,SHA256=FCBC07692CFD247F5B0622436DB1502D9CD9B0682011186FAE1948BE28EE8DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.362{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_impacket_lateralization.yml.tmpMD5=A70BA160734D9C89439D44E3D8F56626,SHA256=B25FD4EC9F6F80A001DF2E3C421320EC11C6CBB39DF4CF925AEDA9638B630D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.360{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_actinium_persistence.yml.tmpMD5=08901027EEF162F077ED4505BD783B17,SHA256=5913D327E648CEA3C12106D3ADF2976D1D888D7D193FB1C9444BD14252D25913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.359{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_no_dll.yml.tmpMD5=189CE31D911C5AD21DA164276017960E,SHA256=1D125DE598BFA149481CB16B0C5B9F273DB6C4468C152575733C4B1FF34BC898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.356{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_clip.yml.tmpMD5=359EC12E04749E395B80999C4A54EC72,SHA256=4590DEC9061E9DDA694CB8D83B4AC6CCF680BBD00E812EEA0F0E4E3C5029422B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.354{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dnscat2_powershell_implementation.yml.tmpMD5=15EF428BA53223B1BD9DCEA96D0D97FE,SHA256=E6D1AA1C1CA6BE7382649A24E11BFC085AC035E1E2FC2687D32996F5F066C921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.352{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_user_temp.yml.tmpMD5=BB3F936A9BF020A6680A2A2C292B0822,SHA256=10E3ACCF1F27295FD95BFCCE4790F3D3E7A022B37B9E8270F850C01DDEB06789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.351{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conti_cmd_ransomware.yml.tmpMD5=6B968F783D60320135D8F9E8274713A2,SHA256=9DC91FE0BCB572FDC46CCB3C3544A46C923B34B5F2E5FFB02B8B2EEAC1D8F4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.349{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml.tmpMD5=C2CCAABAC8E5F8CED6B4719205DBDF17,SHA256=DD3858F61B50791E2B5C93215440493D63DA946E65A9771EA8AF301F6CAE9A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.342{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_web_sysaidserver.yml.tmpMD5=0D25E9A7020A4017BE4E26691112C989,SHA256=D471A9BD2F2926B526EB1CD86BE5A2A824495F834072D2C125B1A16CA61C9593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.340{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_adwind.yml.tmpMD5=D193F9B62922EA7261874879D9D78EF2,SHA256=B618EB0862AA89CB114C8531F5D1B711FACD734886E266D6DBF745179E9E30F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.338{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_trolleyexpress_procdump.yml.tmpMD5=39E54B40BDBBE4EA203D9404FCDD4359,SHA256=A00C156F9C4418F9472BC28985EBFB0656B72965144A772097639E2917337A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.335{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_dctask64.yml.tmpMD5=C7FBEB5E3A7E090C6DF44222480A2C55,SHA256=974DB81960E6F27EB958A4FB05120F4A953BE8BBB24D52EABEF55448A49DBD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.333{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dllhost_no_cli.yml.tmpMD5=1274EB9342D28DC2C050DD04C091383B,SHA256=E0CF8883E710BC553D2A5B79A59759B2A843F0A397CEDA7480BB3B93408A5297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.329{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_mftrace.yml.tmpMD5=F3C086A86C025311C669505C1AB442D5,SHA256=B6DB619AD8AF951507A96878A2DDC2F7A78088DBEDF9782146E55EFCDC656749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.327{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_web_request_cmd.yml.tmpMD5=FE64C5AD1E0BC0BE3A46DFE2244D7743,SHA256=7E45D0419468BC1060D70DBF3F34D265F82F1183AB09A6E6B4A476F447551AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.324{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_deviceenroller_evasion.yml.tmpMD5=521006E60BA9F8DEB67C3374B8C3FB87,SHA256=9DEF799491A5B3C4D74B3FCCA98441EA3B805F7A9A836D0A17CBF549E7B268F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.322{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer.yml.tmpMD5=83BF983D9865E7944E288604E09353CF,SHA256=3EAE675DF8F27189E439CFF3CDE9DA18E05E1E8B9CCC023FD77C93FE51D8922A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.321{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_7zip_dmp.yml.tmpMD5=B4E35C8934465DA291F9B103FF390D35,SHA256=816986DEFB0238FFFFA4BADD1621894306950F41C55A7120A9151D13873600EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.319{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_spn_enum.yml.tmpMD5=F9664BED5E4CAF59A92979B18813B22A,SHA256=59B3C99F297E9A35D570CCA3901BE9501A57E0DE6BE91DC5F7C36883711E30CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.317{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_empire_launch.yml.tmpMD5=F8CA4735E9ED9C32BBA0C4FA587C55B5,SHA256=2D4167E803BD670ADB540C3EC82B55DB17868D8B30D9261226FCBCD783658E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.315{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_teams_suspicious_command_line_cred_access.yml.tmpMD5=FB1EC2363106A36C405030998FC84DDD,SHA256=66057A9A48F6FC95804165BE3CA1C91BC1EE4FA1D62747BB90F68B35114038F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.314{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_execution.yml.tmpMD5=3D585CB416F0AF3F485EE3CEE2031416,SHA256=28C01949AB067358A7086A1C0E9BD6F956F00C3841465601239B22A518ED234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.312{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_advanced_port_scanner.yml.tmpMD5=8423ADE46CC73FE7D51C2F1382501F55,SHA256=54BBAD22D12373DBA08AF04C894CF208018F6D23EBF0262238BB5E21B9C405B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.311{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_download_patterns.yml.tmpMD5=C4F028B301594BB54706EC2ADD2AF0B8,SHA256=AD1AF794C84D8DDDC99FFD0ADACDE907A8BE18E1F3AE041357F468607EBB51C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.309{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_systemnightmare.yml.tmpMD5=F04D78F35DA58C9148F485122E1341ED,SHA256=AE57311EF299DD55CA3646B96A05906BDC60ECA6E4D5ACDD1CC01D335F459413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.307{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_mspub_download.yml.tmpMD5=A0594510E07F487F4889BFC5E6B46186,SHA256=957052E6EF9E1DFB58858EBA4151FA6EBA6797A2A65B8A846068A50B8889520F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.305{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_calc.yml.tmpMD5=AE4E5F062784F99467C67998847C1ACB,SHA256=74DCBD0988EE7A126AB52DE954DEC6E5231A3B832B53DDE9DF4697823123F450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.302{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regini.yml.tmpMD5=F1AF6BE421F69840B67B388FF3B89892,SHA256=3ADDEAC218E8FDEA7E05A42D3C00D899E2415D62F86CC9AB08E63BE0CEA50A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.300{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_adplus.yml.tmpMD5=EA5590117AC34E935A19E7C48583D122,SHA256=23EAA895B48195C810C646A8FBCD88A7DE088F12A648AE6C783445568C289E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.299{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_exclusion.yml.tmpMD5=3BAAFCD351190DE1E8DE9EB4B8E9A0C8,SHA256=D9EA517B4297EDD3E558EFF7246DA5CFC0AB40EE566376CF71AE88E5A550C444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.295{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_findstr_lnk.yml.tmpMD5=308B153BFB2DECA46793259C12A17E26,SHA256=B80EE1C4DE69E183F4839F61634C185A92E3ACB81C2B3ABCD8C50F43691CC81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.292{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_hafnium.yml.tmpMD5=01213DA6639833846BCFFE53D11979CA,SHA256=F2CB6061432E456441DD37784C86A485522EF9513611CB122742EC7B94ACB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.289{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_sideload_link_binary.yml.tmpMD5=C9731480F9FC06CDCBD4D344D4BEC778,SHA256=F33727D26FE80CFCB6EA29D2097E72179C50B6982229B2C94E1F5E603C4F9EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.286{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_new_network_provider.yml.tmpMD5=6E04F46B7E7F2F10E2CE77FAFF5D1F72,SHA256=EF1941DA5062E2AA46D9F71BA8EE68B2E6C75DC654C8FF0C3C4BA6A191FB0866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.284{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csc.yml.tmpMD5=0E763C18D215F22233ADEB9D4F9E2F6C,SHA256=6DA98DE8541B20D861C70FC83A49A94DCF6CC4DE96E2FD13C4D51D445594B7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.280{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sqlite_firefox_cookies.yml.tmpMD5=CC2AF7CE3462A88CFBDD03787DA67565,SHA256=C37EE4FF1A478F31E24935ABAE23ABD3188F05B6065E76B56663CCB37E6B58CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.276{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_char_in_cmd.yml.tmpMD5=7AD6B39D83AC8AC8C98EBD868B36AF2C,SHA256=7C652E172C1C101367B99F84E33A82450BAD588935A9186BB915A63FCC03026C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.274{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdbinst_shim_persistence.yml.tmpMD5=7297CD91924DF65130826E387BE6739A,SHA256=C4BECE2844E3D4E37FC34D5D53E55197C7A17FB8D87877949484FA938B5779F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.272{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_dacl_modification.yml.tmpMD5=D7033D3854CEBF8E3E009B19F969E686,SHA256=8133D49B9502B958BF50809960A338FD77D8D080118C9FF84DF06F6A7E0B70EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.269{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_configsecuritypolicy.yml.tmpMD5=183986AAB63C267B72682FD8B6AA6C43,SHA256=7B8BA4752D2FB5E0BAB794458E5DA23CCA37361F854733A7959D2C4E9B41BF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.267{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_screenconnect_anomaly.yml.tmpMD5=4DE5DABAF5829DB54DB393C8C5826724,SHA256=E42C598128F070CC216A0D7DE838F723B17B2663A01E4F6F35EE74410A46FB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.265{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_zipexec.yml.tmpMD5=8E5CADE79A86F8A0EDE55154A3FF6C0F,SHA256=BAEF33A615E95F0EEA3C3E972A89C910C0F74976A094276535BF6219E1CE6E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.261{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_jlaive_batch_execution.yml.tmpMD5=3DCB72D3C7CF866475E1610D41F63EB7,SHA256=D30970A0CF2D6D40B1B7187804221C0220A5E71F2A61044127EED99A470429AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.259{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tracker_execution.yml.tmpMD5=874BC64A5C9E829A0EED3063775FA224,SHA256=76D37AA70509D4C4D122C0902BD01B6071B6EEE6D9A270CEDB16468318EE9C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.256{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_control_cve_2021_40444.yml.tmpMD5=CBBC758A1A3F3051E54373D96D889A9E,SHA256=09DEF51C84C223BEA13630F0CEB7CD377F2AC5A6D2C7842A924FFF02665F8923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.252{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_purplesharp_indicators.yml.tmpMD5=86219BA5DED3975F42ADE54700FD1FB2,SHA256=B5677B7EE48DB434F117D8EC0B2986305B0B578F9BB805100BE98624DBA598E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.249{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tamper_defender_remove_mppreference.yml.tmpMD5=18464EEDB3C605E5234DD9D1171B870C,SHA256=0A3131D5EB0DCDC6559D866CA9DF2AB877A75370DE7F6252EA591FBA3B02E72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.248{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_spwns_powershell.yml.tmpMD5=6BAF595A3A30A592F7442A301146F2AE,SHA256=6E668E2E72090A5F4B31F9DF8ED76ACAEBED304BEFF4B798F2427B2037F7BCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.246{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_http_logging.yml.tmpMD5=8E36173902CBEDB3FD03234BFBD7CB09,SHA256=BB59D91EE3AEFE88413BD178D7E1FF84DEB39B9A844EBB1EBFF1160B90A66AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.245{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_spawn.yml.tmpMD5=79132E760E2DA7094EFA83D187383CC0,SHA256=654CE606402D7B98772556CA3C7B3426EF65838969632986F88123DBDA44A381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.242{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_encoded_frombase64string.yml.tmpMD5=7D585FD8B71984C3DB81508D22DEBBE1,SHA256=78E449274168F8360591C892F5B9FB2615EF02EAA53BFB04B9DBBAA6A4689653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.239{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tools_uac_bypass_computerdefaults.yml.tmpMD5=63975EFEE92B37BA89F124DEBE282FAB,SHA256=E69DB726634C93887447AAEDE7759CE35068F36AA6F82C80DE01E797707BD407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.237{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexec_eula.yml.tmpMD5=3950379EAA15D28F2F08077D6F3EAF67,SHA256=07577EF0BA28CA5C89D718D7D46BEE5F57B965F2EDD40F4A8A28CF955877EF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.235{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_js_runhtmlapplication.yml.tmpMD5=D3AB42C1567C5C3E6FF255B025F0B419,SHA256=A3E83D972E12DB6537B0AA3557F9BE6E9D055E536783FDCFFDB816F7190CE28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.232{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_diantz_ads.yml.tmpMD5=E326049D6665E66271003E200B4A3109,SHA256=665B137BBE7A9E6D6141BF2C1C7F02FD728F11A075FAEEA10C7C8F808AB2F2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.230{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_enc_cmd.yml.tmpMD5=4A17E6381BD07EFD1987DDDC54DEEA79,SHA256=C117AA5CBB706CF79BA9CCF6162CA8E97CB62DF3058FC0438E221F881F7B0EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.228{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_env_folder.yml.tmpMD5=E0653428FB53CD18CEFC55EB23D97B6E,SHA256=291CD5EC5CDB440FBE02CF931BF04E576F3C6AB7BF71C24CCA86F592ECD8DABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.224{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_desktop_tunneling.yml.tmpMD5=9CA711507D45224C43D76D55E68831ED,SHA256=82A5C2EE3A521AD31344C6ED7A43F1FB4E4891119246A3B2923A7297675FC88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.221{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_obfuscated_ip_download.yml.tmpMD5=83AE369BAE2076FE2E00F7CFCED11541,SHA256=C3D6A6208F1CD65E1B7B6CF649B62A2A090EB67C6D656050A04616253193800B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.218{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_connection_strings_decryption.yml.tmpMD5=2D101E2934C6E66C84D52D3E566B0183,SHA256=8E6AEC1074E743DCFD3C7257A2E184346C847747063413CA6683AE6BE00CB04A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.216{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_public_folder_parent.yml.tmpMD5=F817A7D9FECF6B65B3AF700E0B87C8A6,SHA256=61805B2CF9E6BF66FE658D05097AD36BD8FADC0C5D9A521BBE64DF34712909C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.214{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshtml_runhtmlapplication.yml.tmpMD5=6A4FC380EF45920C1BD58ADB31FD1560,SHA256=256A8793E60598F764228DC72567C8868253D20686056EF3A95BCCD560175356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.212{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_specific_comb_methods.yml.tmpMD5=05BA27DD527B261021DA817CE3D03AD7,SHA256=601DA207EA94E9E76EF801DFB71FD301A5E0B54270815D74068393E6E8169850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.211{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_dump64.yml.tmpMD5=2EF6B5E75F55BE669DC64E34C6B15374,SHA256=582040BD3D0C382159E6495DAC7A79456B09D9CC4E25FBDFEA47B40A2D2CD242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.209{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pchunter.yml.tmpMD5=380A26F985F62C40D095D06112C7A2BA,SHA256=F0BCBD2C771C076CF9FFE87374AAC6C46D59D0069E6FD79585E588A0E129996A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.205{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_16bit_application.yml.tmpMD5=5B9B9FAC98A844F06A4069052E9A97CA,SHA256=1B89356EC7AE98B03814E49E17AE38DC5518B86853F9A1B0AF4CC8F7899AB0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.203{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_w32tm.yml.tmpMD5=8E0B742C0375589374789718994E43BA,SHA256=A3CDF960A450B7AB6F49771736C75A0BC99A0E56E3D5C5A6B316BBC49F00A9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.202{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_mutexverifiers.yml.tmpMD5=D14DB2B56E1B7D0BAF1A6E975DB2FEC8,SHA256=6D579F4BFF8E127B1F1D5D72C5038262F3E347AFF098DFA4AE490779302E5F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.200{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2015_1641.yml.tmpMD5=C3F0A64105D111C317350EAA878297C3,SHA256=EA264BF84F70EBBA3ACCCC6585F3D3B61924CF377235AA1A8CA3C4EE6A9D1F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.196{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DB2A55C22636C11772D54FFCB6C18B,SHA256=9CFD44AF2A4E0735579FB5633E33D192A067D426DCAF69D32E0CA414651D86B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.196{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bcdedit.yml.tmpMD5=8F13F32980E093B09B58556A4AAB3CEA,SHA256=BC33E1545729E29C30537AC1446838E59BD4937EF5594FD957D519943488648D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.195{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml.tmpMD5=693130AAC3C0EC97C9256C3A546EC811,SHA256=05613C106AB1D3E1C9ACEE4D35E764B470D648C4131ECF5428569107A0604935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.189{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_amsi_bypass.yml.tmpMD5=09AB2AD56D8FD76A57166FBAA921EE93,SHA256=FDEADC390F4FB682748860C977C07F9C24E07EF87576DFDAF0EA8DD1AB6FA72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.187{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_as_system.yml.tmpMD5=D431A9C134B7C1877023E68E556415C2,SHA256=1B468AF8695845432BB0A238F134C73F7C60752B5E3EBCF78F26719E143FA2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.186{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_dosfuscation.yml.tmpMD5=0533A4AFB19EB5A88D30345E07B77D4A,SHA256=796ABACCB61083B3C0D596C95CA63D79B889AA3C19F913959082C880ED72FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.184{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_where_execution.yml.tmpMD5=1943C0C12503D3E60D6569AA81885127,SHA256=BD48F85299D9FD52875F919B6CF35393E203CF63B8DE8C657F4BCC18A55EC6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.181{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_7z.yml.tmpMD5=19D81C3AFADF4C18862AABBCCE61BB0B,SHA256=06461C0AF84CA689FBF2C8E26CBA93E04CB6D839B75C24375EF70E04D6B246BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.179{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_device_credential_deployment.yml.tmpMD5=0085E2674058757ABBF34205DE88EE24,SHA256=4110BE24BBC68B29BA98AD70275491B0B3A60537E3ECF5089B6AD518A55634C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.178{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_win10_sched_task_0day.yml.tmpMD5=BE89B7AD0EDE52E516C1849E1E797B3B,SHA256=C17906FB0EDAB1A14216101C02CBA7910006DA1E2FC003120CFB71DB19E001C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.176{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_weak_or_abused_passwords.yml.tmpMD5=78FCA44AD9F914A3D4D8EC11D13CF4A3,SHA256=5D6DE4925D8E0C024996E8FD75A41DDD07E7FB55E2E6FE4B8CDE4038F04E21EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.174{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_by_java_keytool.yml.tmpMD5=C9A224162684340E21008C527F2E0F04,SHA256=EFC3A656527F2C0FEFBC3C7B804CE3D3BBAACDEC9386D4682BB4748CE697A0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.172{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_bloodhound.yml.tmpMD5=1855AE54733673B07F072714638359FB,SHA256=C5BB5C57D8109918EC420159CF045ECC175DAB26099D3F63B989786682471BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.170{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_chisel_usage.yml.tmpMD5=B9631C9D9F1EC3F0567FF3B852521BFB,SHA256=3F100A47510F6695CD97930FB1AAF38FE5FAFA1D1AE4FFEB5D79E0FDB47A681A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.168{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_export_keys.yml.tmpMD5=0BB6198C83E40FD08AEC1C47C21C6249,SHA256=2AD8144315FDE9F7FBF401BECA45C4A2A85E7F115D3A67DD6AA300A5B128BD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.166{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_offlinescannershell.yml.tmpMD5=D6FB841736722D70ECBA15500AE42B5F,SHA256=0D59CEEA6BABAD1E1B05C8650289DBF7CEED5B12B8C104096EF39621BD3123BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.163{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dnx.yml.tmpMD5=D1AE69054B35955CAB3E02C148FE30A7,SHA256=3FC1484526BB31880C70BF7B483DBBFD2C60F15951E23FA3A871B66635A722D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.161{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_parent_process.yml.tmpMD5=E6CF1476C2804F847867EBBB5F5F808D,SHA256=39E438C0B408AC7348273568E1D5826203CAD3B6A5E444774FFC896A796CE204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.160{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hktl_uacme_uac_bypass.yml.tmpMD5=6EFB72808C57A1E8C9862E15B76A8BE6,SHA256=3FA32017960736D01424015D772D8BC9E824E509E1D354EDC095A61FE62ECC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.157{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2019_1378.yml.tmpMD5=801F21783F582632DBD5BFF83AF5D47B,SHA256=3ECD17719A0857EF86757BD4E077FDF563A79E92D4D0071924241C9444B6ADF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.153{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bad_opsec_sacrificial_processes.yml.tmpMD5=290BBB32D0F2EB46E64EC80D6EB35A2D,SHA256=EB65C0E8A680D4DB2E649CBA93E154EFB10D25FD619A7F1A77BA62A31C251A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.150{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_query_registry.yml.tmpMD5=116BD77699AD18FEB39BBD70ED0D4C4E,SHA256=B7DE15C37398323CF00EEB9CC1F81256A0860C228B3A09AAEA323D31392BBA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.147{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_gmer_execution.yml.tmpMD5=E63B9E4AE429D719C36B2AF305D0BA8D,SHA256=8E6167A70979C974B8D964B90D0D9C91361218342B75687D8C5FA5F0C10D35A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.144{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_etw_modification_cmdline.yml.tmpMD5=251631D7FE6D962112C3FB9C801565C3,SHA256=DDC320A1B3E8A804423AE26480DBC2E19696E656241B06FFA8544DDF266A5CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.142{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_wce.yml.tmpMD5=BE9649264DEB8E40E4A63887ADD9C59F,SHA256=D414FAFFF0D59DCC0AB184A2D38482DE90C5CC33198150D9FFFA7C2777552FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.140{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_from_zip.yml.tmpMD5=0082086AB6C77F1E9E0DAA71B08629C1,SHA256=0D81A799C4D08C233185B84A8BFA3DB95C97B1C9CCD97419D38C19D47276ACD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.136{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adidnsdump.yml.tmpMD5=F7D591A48EB2BC320D5AFCAECCC3DDE2,SHA256=1EAA78E57AF634C5D07231642FE85071EA5FDB7DEB3D278145824E2729D8D2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.134{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_runx_as_system.yml.tmpMD5=DE574DD1AB41ACED86B7719AB1CCECE4,SHA256=179275BC340482E9DBD52AA40154F17A20AE5A5728E1C5655CC30C318A1C9969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.132{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regedit_trustedinstaller.yml.tmpMD5=774879CFA5C1DDDD289491051FE6575D,SHA256=608E023C5D4DC9368A760FCF3A6BD62C8B949B9639AB8C0CAC0D0D66141AED57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.129{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_control_panel_item.yml.tmpMD5=C88687BC78353CE65FAA3F66CC88EE5F,SHA256=B23D6CA0D7B0AC2186047D8E76F65F1E65E8E3864579F1499FA9F7EA32BADBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.125{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_run_folder.yml.tmpMD5=B3097B275951350C9A5F78DBE9EDB2DB,SHA256=FE8B4BE4C9AD5A4F3C8C0E3CC677D7B5241A3CF1CD84DF11D329A26D4D1FC12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.123{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_forfiles.yml.tmpMD5=652CD23A50C45BC2921D12F2DED62E48,SHA256=59ADAE5D21481FFFE6531FA4FBFB9CEDD11734BAC8F3BE6C27AF6E32E5B28443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.121{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_presentationhost.yml.tmpMD5=BECF0A2C881C7DE4A5B1DB24F0A94670,SHA256=8402C4BB2C7404CC243A45770A0DC1F55FAA7645CEC6E4131CF056F6808AEFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.119{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_elise.yml.tmpMD5=E4F3D1C56C9C524535C7D45D5021F7E1,SHA256=EA22E22C698E717D2423E1DCC6C52D19322B5F9F281D89A017E267E08DD22636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.117{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_default_accounts_manipulation.yml.tmpMD5=5CAFDB94A200E06BEF524FF16A5F119B,SHA256=6CFF212905CE0FFB0D8B01314B7CAB3D00959DD975BDB4A39A1691CFC4800869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.115{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_7zip_cve_2022_29072.yml.tmpMD5=85F01EC54300A950E89F61B0FF7AAC65,SHA256=0E12FB879D6AC72FDD2FC820CD03C3058B3F130934CBC72FA3B2792DF48BE4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.113{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pdqdeploy_runner_susp_children.yml.tmpMD5=5D29E79914C3F5BE67827EB8ADADFB34,SHA256=38BAC3BFD489F22FE573BE976290AA7831F930D5101F4DA2C8DAE8BBC0C6243B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.111{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_sdelete.yml.tmpMD5=6D8EA1E5881E3FC45D7CE35740F143C4,SHA256=402E83145636A9064867C1F0264196DFFD64EADFF977451813ACAA0FAF2B94BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000749313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:51.123{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62956- 23542300x8000000000000000749312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.109{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_rasautou_dll_execution.yml.tmpMD5=F9ED4358A8560CFC4A2755B581B7E44B,SHA256=878749F21449809CB129FA9F2FAFF2E32107E6D5586F5C10C65BA358BD9FBBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.107{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ieexec_download.yml.tmpMD5=4955F700EEE0817B6021A84ECEB67261,SHA256=3CD789E03919AD9CC4A6397AA2B2BF7DC43CD123867FB1E08C0FE413332DD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.100{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sysprep_appdata.yml.tmpMD5=058975E7FCED6361E11DF34105E8BD95,SHA256=0CF316AD4965D368EE349A111C87B5B71E0400C3B9AFEAD197D1DEC7E7BF2994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.097{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_monitoring_for_persistence_via_bits.yml.tmpMD5=126ED36C4A1056997DC267351E06DBC9,SHA256=5DD05554B03220B75F5A61D30D9C917FF41CC4A750A1557350D4345EDA398755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.094{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exfiltration_and_tunneling_tools_execution.yml.tmpMD5=FFF2ACF71CC6B15165ED7CA30EAC733C,SHA256=8221A9760D368F2BE1473FD82E0033525885C021DB91639489C51E06F0E75962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.092{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shimcache_flush.yml.tmpMD5=89B4F613F06603FFCE0F7F356623FC9B,SHA256=AA35FF8E996EF6EAD53650C6D623AD1BC8A0F66D42B50F11C9A74A236CB3EF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.091{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_aspnet_compiler.yml.tmpMD5=71AD36D53B0AE569A293B00EBA50F383,SHA256=DC14AE230F61EB413715C8A41EE538CFB62ED3F760D5457FECB5BA51996F56CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.089{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_task_folder_evasion.yml.tmpMD5=D057B947FE8D005148FFD5C1BC875DBD,SHA256=3193A85A7B4CA0BCC8144039E8E107C77AE1D16E40377FBBE079D097ACACE16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.087{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_covenant.yml.tmpMD5=FF70A7EE31593C1FA2D3B7D04A3204D5,SHA256=A911F4B0F4234C1F192883931A8A888E735749332F62861395A11A36B9E2DD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.085{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_service_imagepath_change.yml.tmpMD5=A58E1B26DB1FA6C66B3E0F441A8E057A,SHA256=AC60DAB12607DD6BAB301F3368370CB0EDF6C9B0FB82816A88C8B4105BA3F854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.082{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_emissarypanda_sep19.yml.tmpMD5=1E2747F1B2B9C84CD38994F565C4ED41,SHA256=32A40E19DC8E2CBF7C9E0B520AC63E90FCF153F596340E3FF39C9603EAE67572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.080{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_not_from_c_drive.yml.tmpMD5=51492960C3D925C4140DBDCD2A1FFD99,SHA256=7FA43310764F73D87AA493D791C9AC2348B1485F0F03AC47D983C6A3625F1619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.078{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_use.yml.tmpMD5=EF8988DB682956F1D2EBCF7B1AF61C2B,SHA256=60BEA6D43148A9332B5C0937518617A8C762566206BB6AAE993FAFF705FAB7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.076{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_class_exec_xwizard.yml.tmpMD5=AC4DAC980E9DC4DA671458A071FAFF8E,SHA256=E3E923255773FFE1F1440B544661F7903D48F4F0CE3E5DCA5432ACADB240FD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.073{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_uac_bypass_trustedpath.yml.tmpMD5=2AF8AFEBBFA237D85E2E9AD398A42464,SHA256=FE4C34DE1AC51B8E02F4936AF7840D2A3ED57376541F3BD7EC19792850D96724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.071{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_vul_java_remote_debugging.yml.tmpMD5=74450FE407A32F9BFCE2218CECBD2EE1,SHA256=6B13DBA8A76E7F12D87CEBCEDD19792D4525D32960C6231AFD37EFF63FBE5077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.069{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_msohtmed_download.yml.tmpMD5=68CE973A18A5F58D7C798DF6EFA05F4F,SHA256=1EDE52503D42742C0BE7877922A089C9960FF494CB45D6AEE8055C604C55D093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.066{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_paexec.yml.tmpMD5=1D2C0431D6FE5D83FF75C19415633814,SHA256=3A4B502CD403107B09AD5A4172571BB7AFB5B83EA4A65DD20FB7E834977738FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.064{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_hacking.yml.tmpMD5=26010CD67498B87D68580EE8A10ECA6F,SHA256=4B701343F72BB80FEA150EAC7A2C9C6E9B5E2A359FEE02151F0458BFCC417627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.063{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE29C0DC6D4871940BF3923D918CED,SHA256=9EDB8C3707F574EC9216A5C42DB29CCCB674043F337CBBDF4B8E3CF1089F2591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.060{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_rundll32_installscreensaver.yml.tmpMD5=023840AA979697B33F76557955E5DB2C,SHA256=51FFD735A06F79D1EF28BAED696D513E23F0B6E459E61CD489FBD40D5C474157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.058{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti_7zip.yml.tmpMD5=261354B3D231D6770A814A97CB5EB361,SHA256=7A3BE971F9561A72190416048E65E768DC25A916FC517599D32BD019F6824579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.056{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_gotoopener.yml.tmpMD5=39CDB208C8637B9931529995008B0042,SHA256=0A0D39772EEBEA17FC0238D4BF97BE57DEEAFA4B70EBA9EA777C3FF577943941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.050{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_runscripthelper.yml.tmpMD5=07C5D54C09A0E3ACACEC6A8611260EB1,SHA256=7DD5CB62DFBA1E2A6CC333112AFFDD89CFC03664149DF46BFE52E14EBCC81284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.047{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tap_installer_execution.yml.tmpMD5=74B1326BEBAA740463B66A9DD84B3F3C,SHA256=E2A1C20E9E3C7BCAE6D798F9FCD285B8DA2873C5E9C9EED9D04B35D27D08A9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.045{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pktmon.yml.tmpMD5=42F5ED053F9DBC5410D9A458E43B56AF,SHA256=B5B713C9D9E127709A0440C006D3768C8DA46660CB523EA74CEE35D625E82417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.042{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdiagnhost_susp_child.yml.tmpMD5=49925FE702E1510F1555919F2A96AC48,SHA256=9645FDF612445B0F4D54CDD591E3B85C8467B8AED3AC9E2385BE789AEBEBF61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.040{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_winsat.yml.tmpMD5=0B0DB08F905BA23B1AD4659694F7A628,SHA256=FECBDE1C32107B16CB67C17A12109AD6F9752F858F0194C438D73B7B1B60117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.036{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_image_missing.yml.tmpMD5=A07F0B0FD05A584BAC97CC419ECEEF50,SHA256=B0F6BA0AA468C14D8343527417A7C729380065D730D4257B781E3502E687F580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.035{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_alternate_data_streams.yml.tmpMD5=635E264AED7916FD651D0BAC9CDB44EF,SHA256=10C3489C82C1F9F282CAF789906C4C8556C03CD683F0B1DDEF73535634426B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.033{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dir.yml.tmpMD5=82569EE2E911F4754A1677D70CEFD062,SHA256=3FD273BDCC7E69DC703DBC41FD5DEB0A48AAE1BC8450591FC101B534024F1BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.028{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_execution_path_webserver.yml.tmpMD5=2691783E46FC83CD9EEB432842992992,SHA256=C43D2ACAF6D17FB25273FDD4EA02F426F1D5E1A365B47125C16211CBDBCBEB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.027{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_findstr.yml.tmpMD5=8BEFA422C2417D0F5E0D5314928D7ADB,SHA256=CEC0C1517C70ACBA0841C830B350962968F947385F72D78BBCE874389171DC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.025{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_darkside_ransomware.yml.tmpMD5=849ACA0075407FFEDE5F46F0291817B8,SHA256=EB263A07FDBB2B78243604C23B4638D60002ECCC428F7022F653DCA7C1E9B1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.024{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download.yml.tmpMD5=472E9D1DBC31AF8C9A2C36A4CFFEE9F4,SHA256=38142103D0EC02D322031B8126AE41DC1179D7413202C233EC69F501E6035FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.022{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_koadic.yml.tmpMD5=011124C1471F7F83BBA6D9D70CFA0C61,SHA256=D444738E6F5AD5B3CC43ACFB72CFF838792F5483DFE3AB54B4EEC7E2381FA622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.015{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dotnet.yml.tmpMD5=14B3EF2B3E2B16D5D0DD6998AF35F62D,SHA256=FB4F701FD88EA4D6C45EC8D020B4A38B8F9D4CCCA1667359CDCF43ED3E68B53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.014{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_register_cimprovider.yml.tmpMD5=624938727A5A2BFBCED884608E9319D9,SHA256=A703E5B535E0C6BEE28AB1D39F8EB711EFF35B8CC61C74ECB9081D505766E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.012{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_registered_com_objects.yml.tmpMD5=B69FE5F6AAA2D5F407D1465C7DABA3AB,SHA256=9306A3816E668F9E2990829CE2F427FD6E006FBB05508D7BA0A75685383D3148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.009{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_windows_terminal_susp_children.yml.tmpMD5=7B21A10848A5C5D6D4EB8592E85FA737,SHA256=EC107111EB0DA4B497A5CFDBE45A7B43B6C66187A866AA9CAD879D6681DBC2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.007{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_systeminfo.yml.tmpMD5=AB3E0796341A7E1E2609AE13788E1B27,SHA256=CE9D4DA087F75A8C2B7378C9FCF723031413C1F1A13F4C3BC6391A1B64AE5A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.006{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_winnti_mal_hk_jan20.yml.tmpMD5=C646F2597CCE0073D3F3FC68E40B6F8C,SHA256=A91A7B56CEC8B9CFEF173FD6F5953A025C778BB67BD67B0F041BDD85FEFDEC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.001{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_1048.yml.tmpMD5=3490DC69FECE2A52B02F03327C4FC617,SHA256=05CD4395FDA1C7598A3468AD898C96C0CFD2100D6BB4E73F02512908C41FFA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.000{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_start_combo.yml.tmpMD5=1C4E92FA97C11B93CDD8232DA5038EBA,SHA256=F7662467C77679AADDFD900730029C30C49C783DC4B725E8EF474F065BB48BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.607{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.607{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.605{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.605{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.600{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.600{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.600{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.600{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.562{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.562{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.562{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.562{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.561{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.561{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000749960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.998{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_powershell_code_injection.yml.tmpMD5=A0DC7FC2C29D41C2E54C5C92D469AE0E,SHA256=5717E03526E2074128C7334CC08F9B13F57E4EA9A6D41F17BF5C5BD09ADEA063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.995{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_password_dumper_keepass.yml.tmpMD5=CD2CB077B3106B39C708B67F9C3466E9,SHA256=806C7F0F91041805A7F3D1E2202935E664910A03C547800F24143916376D6FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.993{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_cactustorch.yml.tmpMD5=E26A8E2E32C7D3D106ABADAB4F477563,SHA256=BE25E0D6675AE2DA06EAD94F94456DEC8D40227270DF648ACBFFCA147C7584B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.992{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_cobaltstrike_process_injection.yml.tmpMD5=9D0A7CEF85990A5F8C0E395EFC7F2899,SHA256=588787348FE7C87509D98A52DCC400A768A969A362D3B789B594E8ECEEBA0F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.990{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_password_dumper_lsass.yml.tmpMD5=ECBD66710B31076B9DEA9377A9D49E67,SHA256=DABB11DF72DD2932E318F15DDE3A5C905FFE93B007D7DB57A81B40B35C24E851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.987{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_loadlibrary.yml.tmpMD5=73481CF53C855FF17F77FC7EA43EEB77,SHA256=C99B85A361A676A501FE14D935CFBF6C2E897AC43C924D2D30B7515D374621DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.985{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_pipes_artifacts.yml.tmpMD5=820DE5A78BAF65C1E7F60A295D879297,SHA256=826412786C34AAA06C3E23C448787127951413D2288A62228D9BF82EE800A09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.983{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_koh_default_pipe.yml.tmpMD5=36741A2567BAB2B88F260DB568A58718,SHA256=92615B7E68EE6967506E447A30A6D197519DC4DEB52F6161A6C521FABEB6C1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.981{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_default_pipe_from_susp_location.yml.tmpMD5=5ACDA4764242960C9285B25351F8FAEA,SHA256=A9699AF3E75512AF84918EB33DEDB08161C0ACE728AFE7CFBE9068EC2C12A33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.979{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_adfs_namedpipe_connection.yml.tmpMD5=3139BBC550511652D9FE420B91FDAD0C,SHA256=0369C88E04A581DB001E8ADBEC7B826D8BEC1E4350C02B43EC2BB2C973EA9FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.975{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_efspotato_namedpipe.yml.tmpMD5=E7CBE022A76FCC462D47EB07848DD38F,SHA256=9462EF2EE3DEF64488E28AE88B3869E82333B4B9D3BED50A4D4C8EB92B2F0BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.971{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_cobaltstrike_re.yml.tmpMD5=91129BF3319633A015EA1B8227CD9A25,SHA256=36F8F5DE0AF9966D2D3C1C4DD1CD44722D4BBC1ABD400CC0CA2E5C209C83971C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.968{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_cobaltstrike.yml.tmpMD5=B8E297B805D375F6079B4DC46D6346FA,SHA256=8D8BE354193B4C2F5F5348EFF3C761CD58843FFB35EBC16D493EBC3360743613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.967{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_cobaltstrike_pipe_patterns.yml.tmpMD5=09ADFED8824998814CAB6BF5B9B5398C,SHA256=06DDEC4FCBF8221C23EC42BD5EDAD5B50B725EAE99E9BB0118CB8F5644E166DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.964{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_diagtrack_eop_default_pipe.yml.tmpMD5=D22FE24E0A7D27173E025A634A14B832,SHA256=33E4C67A1AD1D39C3041558FE0986685D92D5FB740E9A68F37C1FAC9A580E8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.962{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_powershell_execution_pipe.yml.tmpMD5=668FAB8763380BC074906CA0CAC757E4,SHA256=B6B536571D1D5B0AA56376DC875AE21548D3FA1935CF9A43D0646097765C70CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.961{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_cred_dump_tools_named_pipes.yml.tmpMD5=8B7E2E2B8E8A9B5A3497F2B4E50E3F13,SHA256=589526677B7E8CE932D07A7671CAC1B7BC7C880D36135E1E50FD77ED0A3F7ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.959{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_alternate_powershell_hosts_pipe.yml.tmpMD5=4811AF29A19A115F64D15CA38DB2FC9A,SHA256=DEC7F0AACD9BDF5A3FC330A0A4CF40D9A7A4D0F749266FA24CDA071BF88D1BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.956{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_default_pipe.yml.tmpMD5=24280A1C395FE4691092BEF2781935EE,SHA256=DA17427CDA3EA5C627B5717D5F0831EE3E0A5D3EBA8F0E6D9911E9833DF8412B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.954{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_wmi_consumer_namedpipe.yml.tmpMD5=EEB76A92BA7C3C328944442DDE3BCC48,SHA256=BCEF3773435FB532110538DC7F5EBE7FF9C8D7FE0E83C7944A0669C71B3790F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.952{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_apt_turla_namedpipes.yml.tmpMD5=25F6E7E6560FF0BCA4DDF5B2861985C5,SHA256=62E31D0EF1BFBDCC655DCEB1D6EFDD01E8B27B117DADFA81BBCE6C08A427C1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.947{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_namedpipes.yml.tmpMD5=FB9EA8C5DE62D83049719B82A4EC0F88,SHA256=A933BA605221DAD180FE518A5BEDA6BB49EDDF82C0CD0BCC0DF08E5A834ADC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.943{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_hevd_driver.yml.tmpMD5=72D5A4EA7BEAB5BEA57A0612FE8F8DEB,SHA256=3E5342BA49D1B1E48419FF8736372FFC4CE63505EF5053ADAC93298A5F999762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.941{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_powershell_script_installed_as_service.yml.tmpMD5=9F99066BA8A41A237612EDA0ADE90CED,SHA256=07C87EAB2B09D4702E947CB774DD17DCD7DE9F65792D1793BD4ACD3DCA559086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.939{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_drivers_names.yml.tmpMD5=4AB65B647C7C92FB6BCA330AC79CABF8,SHA256=0FC282DF34D21180180BC4AD892741C18FD8DCFACB63EF96BE8077F5687072F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.938{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_windivert.yml.tmpMD5=9F7617C5CD864C0F44A4BAE2EAE86AE0,SHA256=F9777800F112E126632AA16FB9464A065434D6AF9B383D6F09019A4C27757F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.937{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_dell_driver.yml.tmpMD5=887FDB067C01FC5E9E88AD353D4628CC,SHA256=AECCBD7496F191D1887D9061E23146DEEB3A449F8EE110A000446EB010AF190E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.932{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_susp_temp_use.yml.tmpMD5=C7969C3C328B4C93F57FA2B3EBC43D87,SHA256=A97B6F36DA7D7358DA83BB1A51C09D02B1FF4D788E387970508232E21A4D80FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.930{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_gigabyte_driver.yml.tmpMD5=5C97CE7AE41A8686276A23381D59F4F3,SHA256=E7C184BD2521057F0FA6417A8C179AE7DA8DF72B20F7A2775C94D1A43AE4D0B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.928{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_avast_anti_rootkit_driver.yml.tmpMD5=7262964FF4007DB423715066410EB557,SHA256=376B9D89791ED1F931FCD71DA2280C36826A1CAA349F9421F955BBA8902618B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.924{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml.tmpMD5=F405CDE893399F0CBE061637745ADCFF,SHA256=B4743B955E0656F9BDD55180D1BE35B3B681BC34334D1143D5FF493D36E811FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.921{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_hw_driver.yml.tmpMD5=94ECCD1E1E50267A98E3FEA360E3FC0D,SHA256=8287FE0DC6EB69CA3DE25C81BBE0793B35C3A90A2FBA9D6D787DF4E833C8183B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.920{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_winring0_driver.yml.tmpMD5=2AD95CC4A3837DDDFDD3E2AEE88ABC4D,SHA256=AF490B05012C29FAD1819C7F3DFA05B2CC351B5732057412A479B0B48D56ED56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.915{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_mal_creddumper.yml.tmpMD5=7605C32102917F5F017F41702EA61AF0,SHA256=C5A4ADBA5D5E4C04D04242F0691BE02B3FE8E01487168612C02CF3886250C135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.909{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_drivers.yml.tmpMD5=E4409659EBFEAE7A06BC447A6C74CEEE,SHA256=6A4E426CBA5BDEFBA1283C3F99CC02FBEE21E5CC20CCE001FC1F58BDDD6B45FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.908{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_clsid_foldername.yml.tmpMD5=8BF2E6E7F1244792085187D238D7E9FC,SHA256=71B99F35B6E6B5D3BACF05A7C8213ED3A05D132917D5D1CE6B68C34F26D84F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.906{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mouse_lock.yml.tmpMD5=558C3AE7826DA8494AE181273AF2737E,SHA256=81AEB46D08C6038CCC2721B1D3E9C34EFCF5E7FA12464782FB5D636C7A7798C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.904{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rurat_exec_location.yml.tmpMD5=67CF5608024187118DDA8FA8C5546D98,SHA256=A5DE483A1B52CC5A64E32DFD84274A491A2CB14372A6E4552A6E8D10C4E2841A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.904{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_3proxy_usage.yml.tmpMD5=292E68C92C1354304A7A8B1B42741D5B,SHA256=33BC71DFD55ADF8112ECE21288D980064B75859A5D415936412E34E1744CDD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.901{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk.yml.tmpMD5=227DCE8C86D3ABBDFFE5B9C2B359EB1D,SHA256=F603ABFC093D118EE73C43EBBF2B640DF6D52E5E6BD51323FE0790E7BD1C2C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.899{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_process_patterns.yml.tmpMD5=F46124F944289104910AEA048F51CB74,SHA256=3B268FA6B3A28FAE7D915332C41E22A41AD7912EE3445A832B12EA59E52F94F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.898{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_outlook_shell.yml.tmpMD5=5C593128ADFE5689E7AF39E6F6BEDBA6,SHA256=DB1D82B0D3FB649B39849CE86F7011804F7D88F501F4E67E36BFF4AE7A089730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.894{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shutdown.yml.tmpMD5=C83B8563CCE8D628F136B6184A277AB2,SHA256=896526840FFE169B4B6493293C7F12BFE4475AED286244237E338DC19123F3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.892{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdclt_child_process.yml.tmpMD5=9CD041B067B0CBFBA779607F5D1E194E,SHA256=65A78F708B71587B8E6AD615A1596E7CD90489FF4E7D874532701BF06617C3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.889{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntlmrelay.yml.tmpMD5=A4D79F38C8032BF0DEDCF46EB8C55C2B,SHA256=F24BAF275336EF13BB3B7F9A2B7B5DAF04648A487495255AB0E2D03E14115778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.888{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wab_unusual_parents.yml.tmpMD5=7AE55A32A6F871CA6143773FBF922F32,SHA256=881D207AD729D3233E7F70D08926FA72F0741315BC4E8394BCE4127484280EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.886{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_inline_base64_mz_header.yml.tmpMD5=A76BD7699181FB91F3B6E394D4676DC1,SHA256=060BA29B786A3D6523E77B03ED5751639501BCDA5B6A4B2E2D6C0823D44B6659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.884{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_unusual_parent_for_cmd.yml.tmpMD5=61AEE8DFCE9BD7EF38F9DECE7085C4D0,SHA256=4B81C30EF0BAE521897BAE09294BAAA14CF97D0DA2318876EBCC7A5192696B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.882{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_acccheckconsole.yml.tmpMD5=D95627AE131E9DF7EAC4128502916808,SHA256=A87CED09B30F225CA3C1BA2921CB0B1122320FAD2D3FF53C49270491B9326024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.880{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ditsnap.yml.tmpMD5=A3127232DD75EDA640711027432CEE78,SHA256=DF380546BDDC858D22AEA8D7D7E841F21CF78A1DCADA27C4306DEDBB8811A9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.879{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_squirrel_lolbin.yml.tmpMD5=3D19080AFC3A6F94732E36A9C8857EC6,SHA256=83581A0A3320770E8B45E2F4F343F1A3734A42B27A469C37A3332FED70E87091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.872{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_reg_loader.yml.tmpMD5=BD0A256C218C4F80BCDBA19E3A6AB0BD,SHA256=98A41DDD12C7F04659865D2532409D259208DC7C0B68B0A5B07085DA9BFB8CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.872{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53E402784EC5C80B533C8FC0EEE0301,SHA256=903068C2B64E029C905083CD7BEE5D21B42AB3B3033B153849B6FF543A1BB41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.870{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_add.yml.tmpMD5=085B67FA243940527BAD4ECA5D73ABF9,SHA256=A4CA2A5366AC459A65ECBCDE25A62B0B389C668AC8F5426E36AE0290B9468275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.868{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_advancedrun.yml.tmpMD5=D7F1D8B7699C40859383F1DE277FE763,SHA256=31E787999250F408051C60343078874892298843DA286F11EFB64F170ABA3574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.866{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ultraviewer.yml.tmpMD5=3DD78CCCCA642AC427CFD1E731111648,SHA256=87C9A80AB0A9D4E909DD3C68534AD5E0C4ED8D913BD3314E3CD1CC1107BC6E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.864{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_frombase64string.yml.tmpMD5=823BBC9F684F5355359198ABFA17F2D5,SHA256=4358F6974F5AEA04CF5831B7FAB5A8EDAFE7134C11A49E23F9405B8E4D339979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.863{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_evilnum_jul20.yml.tmpMD5=FA059AD58F6F0FD2BDE21C05EB720817,SHA256=2410DF45E5F0842F75E787A4281098ECF35220FF4208937BBB2A9590BFE10BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.861{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_double_extension.yml.tmpMD5=890FB9504565B9D8FC3D1D7FE788F8B6,SHA256=AE3D98C37F4D7D8CCF8F23B02B551E69219A227363755DB7D9E23EAD8CF79BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.859{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_progname.yml.tmpMD5=FE64CED73253528B42601329E4E4B56D,SHA256=FC8B111B3106BB82499C2C1E694F93D0F218949B82C87BB0CCDDF51A136486BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.858{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_procdump.yml.tmpMD5=16C3D115107C20CD7E28FE490720C387,SHA256=A7BD9C3F7F329D933E102658D9306127435325EBD9C31810DFA8D8F657713961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.856{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msra_process_injection.yml.tmpMD5=DDD23B199A77587685C6943167129498,SHA256=5A37EFB25E40C0B0664B398C11F4DE0079B8FF98DD17DCC61B63CC34582CF64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.855{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wmp.yml.tmpMD5=46275999852CE80408BD48AB936D37D5,SHA256=069E5F5284205CEB3239774AAA8329C8BC58197A87FFA8D7DF3D711D08180789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.852{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_script_dropper.yml.tmpMD5=ECB7300A3759D7DB74BA82AE2CA6047F,SHA256=EF7AEABC497DF8039E2D9724F5F9BE338DF6E63F4D9F2ADD7DBB395570F12079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.850{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_workfolders.yml.tmpMD5=ED2835923A7C9FEC31ACB0575A85B26E,SHA256=30853979B0EBCA8391FB9AC09B2ADFD314CFC508C135EDC3005F0FDDCB79B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.848{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc_as_system.yml.tmpMD5=D8FE255965901CC7D7CB8C03B2E2756F,SHA256=4197CAD69C8B1606D242DDF6B0E8047BCC1AB39B376DD1C4747C41452DFD70E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.846{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_modification.yml.tmpMD5=83083EA76C62EFF6C5B0988FF2BB7E66,SHA256=7CAA88EF12039A7DF9E6E9AA39AABBA05E4DD483D7A063525E2367599640D245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.844{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ie4uinit.yml.tmpMD5=222849DDA74FA0C414B3C59D038B21DB,SHA256=7C3DCE5D1B4EEC2144CA79570CFEECA39A0B6F0DCAF56EB1838366032212AB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.842{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_disable_sharpevtmute.yml.tmpMD5=46C1A0E87FF5516BF9E2B84B18148B56,SHA256=E67C6C234E322EC30A492878128868A2C63C5389A60C84B03537E32F97F8E5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.840{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_shell.yml.tmpMD5=045C6B54884E8340ADD8F008B804EDE7,SHA256=F88D052BE83710DEAB8E4E89B830151A884E73AD29C207E96DBC9043FA1C9CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.838{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_greenbug_may20.yml.tmpMD5=E40D73C9AEF96C438315806F5CA3E20E,SHA256=9EE21833CA8E58F8D0DFF03FA7CC2BEA0A9908A59451EB16B8D6505C61A46AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.836{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_esentutl_params.yml.tmpMD5=6FCC63B07027431BE20A1F204AE91892,SHA256=F728654FB6C9A785D76B9952CDDDE1E208B57521E8E7C92B158504B22B954408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.834{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_disable_windef_av.yml.tmpMD5=60B5585FE0B4BD51186AC1A99E4B39D9,SHA256=65FE68E5B5367A63E3422010CC831A9DC79B4280A85DE2D779F62672BC2DFDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.831{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_psexec.yml.tmpMD5=F158F1AA57FEC9C7D2E522CAAA50DF07,SHA256=16516D9386C50F4A92C15E8718D8CF4C01E3544AFCAB14EF7098C1BD5573FFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.828{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_binary.yml.tmpMD5=43F360BE50841FB211FFDA8DE9CB4D1F,SHA256=0498D96D8098C991CB7BFCEBCEE601BE6FCA9BC3231C8C7CE805B9D22B5EA2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.827{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_no_params.yml.tmpMD5=8906FD1F81BF742DF71A3F19C3BEF9E5,SHA256=36E3798F47C24EC225B793FD23A54956680125DFA183697988D0E253745D176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.825{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_visual_basic_compiler.yml.tmpMD5=94F3C834D0AB856D9AB6706110B5AACE,SHA256=72E4BDF73AD9F8E790B04D4D9250F2183B744980A031BEC1761F44D572ACA77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.824{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_embedding.yml.tmpMD5=03B8822A7667B9B9426D50F1135376BC,SHA256=4AC18289B6233CCF04D2D5F2987B403078D7C923C68B39CCF93F0CBDB601433F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.821{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_lpe_cve_2021_41379.yml.tmpMD5=C9D9A3E8A167841AFB1D4562667C64A0,SHA256=E7076A05E7CFAAF8ABA7B3485D86FE0772114959BA97F13ECD0694BD456D4B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.819{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rclone_execution.yml.tmpMD5=978B28A850EA590AFF9DD398721381EA,SHA256=4E4EB3CCA7A9DDDA7DED69A3C48378A2299FF5404C53CB6804275137D9E46A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.817{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_workflow_compiler.yml.tmpMD5=9C728714D9883A3D3600A091C7B46FC2,SHA256=F391D1A51C547DFF298A9CBDD8D568DD6ECBAA64525B73B341B9863B92CFEF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.815{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_enum.yml.tmpMD5=1BB7AC8FF40172350D2CC1B4F8C42BAF,SHA256=8225AC24D782EF1526A8E362A8ABFE38B78A81A749D28EFBBA2D17CFEF4B6E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.813{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcwrun.yml.tmpMD5=3615DD8B4AA49A937692CBEF58D81376,SHA256=C87F4D38359A991ED5FEB687FBF4038CA68EF4567168EB3EA3EAE2A9EF74A2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.812{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_ryuk.yml.tmpMD5=CE86AB82D63C0DCAE4B92FA22E4F2C06,SHA256=C494E02C075A3898178E8B65FF4E844E5C733775B3B09DB47F8EA621272614C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.810{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml.tmpMD5=190C3F18DA1CB99E078AAFF3BFCF5C78,SHA256=CD19F81779D6F6FD2AA4CD7AEED834376E57EBEAF4B0EDF537D6C2987F3EBD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.808{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hashcat.yml.tmpMD5=7B3E5A300CEA56734462FB225C6BD521,SHA256=B8769271124B6D5B546D8F0DC76B9E48BFB7D1B19227A109B49826D06D3DA635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.807{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmdkey_recon.yml.tmpMD5=445B7389F3DB7ADBD83211A820D340EB,SHA256=F0DE07054841DAA946ADF57A01F03A924D0362F3EEAA1B08B564C27DF9E585AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.805{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_openconsole.yml.tmpMD5=C755479BFAFFD2F661EE05D4ED3E4301,SHA256=6F4C70F588A08A91DD5505D8A77664C24E02AD27D23093C77AEF5DA66E8B02DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.804{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_time_discovery.yml.tmpMD5=9863B8FA389DAF236B6B098A193AD569,SHA256=99EC1F4417644157A834CC114B86A366C7FFAB8CF99487A9226C272D0847397C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.802{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cmdl32.yml.tmpMD5=E46E9225D46EC971602E32BEB48D4426,SHA256=2A5E084D34BFEEBD7B1064CC03D643D75ABB713A30784C340B2C72260D542A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.799{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shell_spawn_by_java.yml.tmpMD5=03F577707664B841E8ABF3CF50A2132D,SHA256=8118CA6A24F6C874C2ED53B568179ABDE2B4252B3455F83ECF8592EC1B9137AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.794{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tscon_localsystem.yml.tmpMD5=5FDEC5509EC538011FC8349A5BDCDE32,SHA256=1445B29CB7A91D4FA035A2634D35F351F8CB9B21C26270182E986D87429010CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.792{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_c2_sliver.yml.tmpMD5=3906B3DA8462E9030DDB012E7B1ACD4F,SHA256=EADB39E73A3AD376A9CF9DB988B508DA35F1474F0C5165A5CB6B7065B883AB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.790{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_hotfix_enum.yml.tmpMD5=A7D0E8B5A98B4EAB4C44E2D70AF1787B,SHA256=3A63657051A79CF6612D3D193D2D9DC76228E60EC0850EF211942B756B6A1758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.787{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_priv.yml.tmpMD5=22FB3C97D287949EFB4B328E6343C86C,SHA256=71D1FE8E9A1A3E7B72AD692C765CA9B4A44C977014429400CA4C05F5B514C2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.785{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_run_locations.yml.tmpMD5=53DE447D7D45F931EB31FEE72C62B0C3,SHA256=30EE5B41D8D348F4F96B74E57F9B09984ABC3D35B9BB67C8959C7A2546776B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.782{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_adfind.yml.tmpMD5=715A09B5B04BFA5C8D779F1D67701DEE,SHA256=2F8EBC6820A3D0FADE437D732E6BE64399D41A99D1DB37C1728E1CE3A3776B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.780{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_dridex.yml.tmpMD5=FE670A0C37BFFA6D92C0D4AA299FC499,SHA256=9DE253DAE0BE6EC42DF45AFB102E21FCE3C53F49AFF39D7284BB45CF4F3404C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.778{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_imaging_devices_unusual_parents.yml.tmpMD5=C927677F232C0B6FB718A4DE6219EE22,SHA256=6CCB081D7F777BB013D3BBA831D67BBDDF9195BA03F6BF992F90B9C4DFE9F9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.773{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_downloadfile.yml.tmpMD5=8A3D2837F398CAB6871A52A317373DD1,SHA256=DE1BADF786DF47F6D3C0A2B1B0697BFE9C36676132B39C1657FA711C28C8B550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.772{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_commandline_path_traversal.yml.tmpMD5=610B2222184A28340A0B43F0613C6835,SHA256=AA7059B5DF8C24202086CA56C1A92B58DB5E7032685547681413C53B5B7751BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.765{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_frp.yml.tmpMD5=52674AD3850D5E9BDBECD89B29D99D75,SHA256=CC0B19C9D67D61910C5DD69A373D8CF73564C496EB66D80C1F60807AC579721F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.764{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_packet_capture.yml.tmpMD5=C8889C775193D43FC6B8C03F6B8A590D,SHA256=85A2802A73D075963584534D680E3BE933D10305C85C5DF119E038E7D759BFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.763{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_execution_via_winget.yml.tmpMD5=35427F5AD65FADC6AA8F2B46F814DF42,SHA256=FF60886C6BB4C5C806A0C51D1573180E64CEE1F820E33CF9A1991EEADBAAFFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.759{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adfind_enumeration.yml.tmpMD5=3522BFF8D2FC5A5395B986A7519E1884,SHA256=4335D91D05A50F76FF4B1A5F2F33D07EA54EECAEA634DD8C43C70A7D62C71EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.755{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_iex_patterns.yml.tmpMD5=FA55A0FF8B6A2FD22B9E757488A66481,SHA256=104496562654FF8068DE34288AECD23F5C71B70CE44E5790C539EDD9DE0DC3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.752{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_unusual_child_process_of_dns_exe.yml.tmpMD5=B972DEF87DA0E13A039BDE4E14BE6061,SHA256=05331239324C7DD00691529C8F37697DFE683583167747EE3B2F766C31A1A2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.748{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_download.yml.tmpMD5=12A9CF9024CDA1C45291F30837AE59F4,SHA256=E726BE34E07234A4444E80D1E496AC7D299BD1DD6236B27759FD87477E77A3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.745{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_missing_spaces.yml.tmpMD5=160EB4657DFD998EDA9EDC90DDD3AACE,SHA256=678EDE852922A33202C797290B198776E597BC1CCC3B48C0E2EA445AC6DB7B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.744{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tscon_rdp_redirect.yml.tmpMD5=A65B5C49B74EC22FDD2A31870738F4CE,SHA256=D17F1D832E2E8AB15B00ED4EB1AC7BB5AFCE8A68FF178D74A19E6FD6ABDA2597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.741{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pua_defendercheck.yml.tmpMD5=E2053F58F4946902FBBE2F0E9028787B,SHA256=5B9B162CA4137B624F54FF08D690553543FF070033876D6218473513861F6697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.739{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_non_exe_image.yml.tmpMD5=0D98C177A448054CEA7B6FB5B0D8CF50,SHA256=4C6ED96D170777A3319580D0A38CA24BFA54047323D407AD8C1AC0309F0AADC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.736{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml.tmpMD5=AF31AB682DD66477068B81885C1119A0,SHA256=89879E02D1369933F0782F5E17D5EAED85BF74C99C14EDF79412F1369968C121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.736{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CC30060BE3834B4BA6ACE315969142,SHA256=2B7E25AB69AC7F6B53959AD163261CF5365C5B75ED2B7578B16929C4FB30B994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.733{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_sqldumper_activity.yml.tmpMD5=18E1EDC7C718D11936517B8C0E3B10D2,SHA256=B1CFDBEC28393551FCEA23FD187AE14339FACCDDA26C1ABBE2C43008093EF229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.732{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_inline_win_api_access.yml.tmpMD5=8E2D8E1F474FCEEB37FE0E1E0984B533,SHA256=064A1C336802D18692A03F7CE8BA9ECB81815552E0700BEAF2583BD468906BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.730{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_system_user_anomaly.yml.tmpMD5=D3B25B95EE180B14222929B3DABB06AF,SHA256=5ACD507EFE89C15C10C844E8F3D289C0406C6E1F47733248C89135DDF15737C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.728{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_copy_dmp_from_share.yml.tmpMD5=F9C218D342CBBA26748868E41107190B,SHA256=9A4C2C5BF2BA68FD0889C8F9771C77617198891AD64934A4486CA8456FB9176C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.726{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wevtutil_recon.yml.tmpMD5=CBE337C1E7EC401CD5B8D15DF0630D29,SHA256=332110674DEE1F3FF788BC293A6C3CFF166E7C5C36B287F48D9A69C101AAF2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.724{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_desktopimgdownldr.yml.tmpMD5=AE14EDB7F59E6B84C562792F6DD93DC0,SHA256=C8E76C67D4D0634F08AED95D02368C378053FAE4D96306B8FF3C4E61E3A4EF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.724{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_spawn_explorer.yml.tmpMD5=ED574807277B56691F21E9BF6B910879,SHA256=6EBA1CE56FF6598AA6FFEC342E32340EB91D34E590EF7497A5E61CB17D2CB06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.722{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_hostname.yml.tmpMD5=05F5F6DAC6294C91C38254C87DD2356A,SHA256=11FD2679AA1789610CBF715E2DF095984C9A1ADDC51FB0A18889A4B6F42676CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.721{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vbscript_unc2452.yml.tmpMD5=B9D0D1F43411B863EA86316B56EBED2D,SHA256=FCD40973D0A6B69C9BA5DA09096C99F4B4A930B6C7A2A1D5EA5FC15F9D74F682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.719{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cdb.yml.tmpMD5=1DC76407CF47C0681245ADA02C3B7F4D,SHA256=92686D8F31D3686497B6BEE9C5C3350442081B06E5889770FD8D67B49AE3E0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.718{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_compress.yml.tmpMD5=52A061181D362AAABA446FFB3BC9B6C8,SHA256=787F09112CB9AFBD21B00EBA79D8D041DAD061EF8FF56C0EB4E52E954BA13F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.716{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_dumpert.yml.tmpMD5=ABB15C354CDDC9D912F3AEE7B329A65D,SHA256=F2539DD5270B1108803DD0A0844A680D21CFE609767F022C7C00FFD948D2689D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.714{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ftp.yml.tmpMD5=A14684A807F138BF586EC7320CBB34DC,SHA256=9E7F8F6389AC824D80F7C8458EA52CDDD6E27BF5608B51B8B0F546F00D6BA564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.712{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_outlook_temp.yml.tmpMD5=628F76495BD8DC3FCFA64E9F3A202745,SHA256=73B80458956F625F16A32958930810C0E1D2D553692D8DD3649678E7BD08AA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.711{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_execution.yml.tmpMD5=01D4FD225E008941EC839BC7462A76E4,SHA256=D7AE45AF96515ABB212BBE3B8B50E6377BCB5A17A0A869DB0A1B4F16B49642FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.709{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbins_with_wmiprvse_parent_process.yml.tmpMD5=F07E4761C6F241E84E6E53221646C23E,SHA256=EFAB91746F0F51D32313B1C4C148AC30B6424B655749A62F5D94EDDCCA6AE937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.706{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_script_event_consumer_spawn.yml.tmpMD5=24DA505E5A2F4C7B83ED9CEC3300C239,SHA256=1DD08EBA2CA01C6ABA09D77223A3C0C6D35BE53FFB0A14FFFE01B87ABD7E844A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.704{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_sharpersist.yml.tmpMD5=C1FB93051E97EF3D2A4C6EA1A077FB6E,SHA256=3DA4D1BECC01B1752DF8FF013159A2070A8160D02FF07CE9981084865C92D1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.703{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_piped_password_via_cli.yml.tmpMD5=9C9D13FA159037FAA66EF84410945395,SHA256=39315DF8C1F7B3E33AB1A08EFD3342E2CCA959CB36F381A742CF407DB63668AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.701{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_secutyxploded.yml.tmpMD5=6085E6FF21DEBEC4E4C962BF08F72095,SHA256=14CC9706955265A59CF8B9277D1059CA22D310C915FDB1375E21EA0676BE8E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.697{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_splwow64.yml.tmpMD5=322870BD3200E2A12A59AC280E63090B,SHA256=BE7AB9A128338C6AB1FF213C79E55929A2F0110ADFCC85313A2A2F5A7BF2ED23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.695{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_outlook.yml.tmpMD5=92657D64AAA2D6B2C09E386725D704EB,SHA256=64315D7CE9F042410AB6A43A574474C0787AB56FC0CE21D4C90A04B209A27E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.692{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_soundrec_audio_capture.yml.tmpMD5=2DA48B1CBA2F16197E8B6709C8D670A8,SHA256=19F3367DC0A3FAE168CFBB9D479F848CB913F1933DEDC8057683EAA3658FE533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.690{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_takeown.yml.tmpMD5=7843E197997D449FC64678D88D514EFA,SHA256=F634E2EBC552CD2D8060E35566AC5503FD3D81EA8900C92D23612D906D97FC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.687{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_odbcconf.yml.tmpMD5=AE13C944DE40CF00A3675497CBD2B6E0,SHA256=7E9884A5A621B9E461EE2E2F8F42D0135AAB47CC7F7E4DFC12D782D85424950E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.685{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_add_run_key.yml.tmpMD5=6539C2693AE7301808674D57B2C90B35,SHA256=98CBD2B251F7F38BDC8F13AE26579AF0DFAD5071B1851E73B472FF31DCEB061F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.683{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml.tmpMD5=5C2D6BAA2089713A988F128BEE71E4D7,SHA256=76D604706E3457D70E3A4984CA8588CC05CFDDDE731F6E50A5562FB3A48E7923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.682{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=D0597543637E4057754D906BC4553FC1,SHA256=C33175B80C02ED97176DCCAAC3D378A6101612F007740904456B3E749F6ED20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.681{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_priv_escalation_via_named_pipe.yml.tmpMD5=4D325A112A56178732282A1A934FC14E,SHA256=0686C1F14C5543AED8A671EBAA21D7A7382B8C46B5E8835A26839012642998C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.678{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_volsnap_disable.yml.tmpMD5=3728793FA5A7DF5B04699884FE937CC4,SHA256=553C95C9AE1590597115E85E75DDDE68F8D844215B620E16E8CC294C00990573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.678{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=92602DAD6C835CD56902E37C47ABD491,SHA256=E80771F839F2F1D7D6DF9293FB0A1A38CF67242564FDA50CFCAA595A027E3DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.676{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ke3chang_regadd.yml.tmpMD5=5F6FB75BE5E428DAA377BFC934CD4026,SHA256=345E1F6D9522875D729EABE2FFDC6C0BC9C14C9A30539DD83474B59B50A72221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.672{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_service_execution.yml.tmpMD5=28F6B604981674C2BA49552206A54A56,SHA256=A476E8521CDC137894836998D8B4EB1257670A0CC3E4DC12EF08608C2E81A5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.669{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_indirect_cmd.yml.tmpMD5=96490F92A62A384AF5BCA99191D6BC2C,SHA256=7362D308A83603DDDEBB166D402F9F1908C1946E21A734A7A7A258C160FFACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.665{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_settingsynchost_as_lolbin.yml.tmpMD5=1F32A473CED875D32973B1B0AB782A3A,SHA256=1BDC4F400480C5B9737A3B14EB9BE0FB1B32F7C05B0ADB9945D1DFD547FF1448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.663{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_creation.yml.tmpMD5=68C9384600E84BE4F2E89903C58DE2B4,SHA256=292D71242AD8DCC4CC0703471A6A6955EB3908339359FBE2744E4AED2E1DC25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.662{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml.tmpMD5=DFFBAD85F513C20157C742EE72449E31,SHA256=89DA1FD8339528DBC72958A0F7E1D695D302BE24EDDC04AA7E1A7850AA5C4EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.660{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conhost_path_traversal.yml.tmpMD5=14229E1D3934F208CA4DE46EE4A1284E,SHA256=C91BAD125111DAF6FD7B761C9A3E332FAA2F4EF1CB6FD3E437536C794B9453A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.658{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml.tmpMD5=5A3797DC2456B4952084E485A26599E6,SHA256=8BC5AECFC1AE79AB0066740CCD2C0F532F69D88B87228D1389387AB7ED8651B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.655{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_target_location_shell32.yml.tmpMD5=BE49255C679D9C79636EF59B517FD0FA,SHA256=1D918034839D714982A9FE84D97C539403433311677F78BF0A60818C71877A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.653{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_base64_invoke.yml.tmpMD5=B13D7C6B15FB9029FCC7B4CE9399615C,SHA256=1F5EAD86BD9319091063F5000BFDFE431D25FA3DBAF449C34224AD33EF2231BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.649{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wscript_shell_cli.yml.tmpMD5=AD229768CD29250D4E598DA85772828F,SHA256=A3746ED37F92D6C82F2EC10832084C2DC6023FA9A71C2C472D9A008B543983FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.647{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_folder_combos.yml.tmpMD5=4AAC9C5951A216C38DD4FAAC52E41623,SHA256=A59A86A2B505FF7FBBEAF1BB3BE927B55B49B47535E4651A61E767B59D74360D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.645{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_wfc.yml.tmpMD5=EA35D102458A4C5B2020CD8783744861,SHA256=614F6E24092B93CD4C9B1FB6140A186F55043CCA821DC217C4ABD1F86297E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.643{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_deletion.yml.tmpMD5=C7C51CFBEF760EF5104D6AC612AF1E44,SHA256=7BB048D90B2F34530E21A3543FB067A67E926AF6F578741AB218394851236364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.641{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_dll_execution.yml.tmpMD5=B6059B69DF3BD07D8B7B493FBCC76AD5,SHA256=7B1E082CBD862C87E7DF53ADE338D307240BCE6BD767385C544AE909D138B94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.640{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_sqltoolsps_bin.yml.tmpMD5=3686C692B70D37DB0754772602D16B20,SHA256=71E1459931B1EB85BB177BCC61CFC9EC1D11CD17E85889D518042F2E07735DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.637{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_process_dump_rdrleakdiag.yml.tmpMD5=A2C6CD0834045864CDA9EC8C33B0D8F5,SHA256=083E0BAADB8B6C45EA74F324E0B15F130C9505C1A5206544018BDD137C6B0984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.634{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_remote.yml.tmpMD5=F3DE6D77B4B27E773FD46EC0B866ABED,SHA256=CBFC837B9AFF07AACB72A5243F74F13D72A4A05D98808C4AD0DD1273A79FBE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.630{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_compression_params.yml.tmpMD5=B1F55DC099A7003F96E4A84A2DE98CF0,SHA256=87A28E0FB7A99DCCE299C80C483F755FED1B53715CF3F6F5F976AE5910E2D6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.628{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nircmd.yml.tmpMD5=DCBB2C4222EB34E343A4727E6B8B1D54,SHA256=0D4C1F70E0DA628F904A30F00E54DAE561FED0305972ED0EAC99CC9365157DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.625{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_disable.yml.tmpMD5=3A52AE3B3747BB3F2934BFD46AA2C6F8,SHA256=7399DE5F55BA5FD56DACE7A2816BF87341B2C5F53E9E3E697A61D6BC1FCD6F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.624{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_without_parameters.yml.tmpMD5=260E12C07864ED72CEEDF4CAB7ECAC90,SHA256=C18F4F442C492A2837551665FC49ED36C9592700E581BFF8D60900D163F53FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.622{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_openwith.yml.tmpMD5=2546D7EDA9A4F524283DB8B61D472D65,SHA256=6B2F66BBB60C433DD013DFFFF639DBB976AACA1C3A947EA468B5CDEE70AA0598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.621{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mmc_spawn_shell.yml.tmpMD5=79C9FA93E0E3D98F41FCEC668E7DC266,SHA256=A6357873F07FAA88ADB33C0594674EBB1C300098290AFA76C8F0B974BD84D616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.619{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ransom_blackbyte.yml.tmpMD5=1737A011C134864776319D1D93EEB961,SHA256=92A37F95DB6DA654D05879DCCB260ACCDA26A8330334FCC3F9C6094E8727CB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.617{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_atbroker.yml.tmpMD5=2103EF3A06B7C3E353C8FD8667DC2A47,SHA256=4911FDD08500A232688335D0B1C53240AA3A7429E582B82DA3CA5E757A3A15B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.615{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_printbrm.yml.tmpMD5=42BFD16A3CF0A453DBBED849C42F260D,SHA256=71642B32BF7DAC9A6426736134CE4109D4D2420185223260A19CD82E2CD7465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.614{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_stop.yml.tmpMD5=E52E115AF9C357D69CFC02FDEFA65B30,SHA256=21CC8FACACE4A2A89C2E61D3731D1FDCF153316661DA721181E9B8936D607B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.611{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_driver_unload.yml.tmpMD5=59AC4AA59638D75DEE7871B3BC6B8722,SHA256=938DDD070D7DC6C3939DC734985AF690A4FF2D46AB83BBBEC69ACFCD87BE7AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.609{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_powershell_windowsapps_execution.yml.tmpMD5=A0541383E21FE3DBC9399111EB44741B,SHA256=DE57AFAAE67DE98D31A78EE8FC73EC59E1BD16CA8C3C65DDF5BF823CB0789EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.608{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml.tmpMD5=039FCFD886B04E8577041E47FE4139A9,SHA256=D44B9E0A90C1C5428334B05534D7C0D22084DFD626363AC1854DB24EF0762CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.606{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_trufflesnout.yml.tmpMD5=949BBDE13E1522629C943094F1F137E4,SHA256=A3BBE96B59562B00D3DD4E12B89A0864297983746FA5C9095161F19ADB508FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.604{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_impacket_compiled_tools.yml.tmpMD5=6704B2F88B4F78CA01C10D6C722FF1F3,SHA256=14E284EC0694BA5F46301C5DA31630DE70A6C06C92F099689D99D7B71E8C1C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.602{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_judgement_panda_gtr19.yml.tmpMD5=11095FD79A55FB7FA04179325CDA58FC,SHA256=1702E52FE266B900761614E402EADDE9AEAAFC9CBDB5EE1B036030B8A69DAD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.597{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_delete_safeboot.yml.tmpMD5=578411BF4DDEFA17AF51BAF1971C70F0,SHA256=17A4F9CD02D52ABDAF73A05F34E40EB365F736ABDCD337E60DFAD5126B8B9D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.597{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6BFAB9978BBA64BB5BB3E11D96495E,SHA256=5D7167A6D94636A99ADF51C8D8058B981C261E1D92B2E74C6E6D53BCF4F1307D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.595{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_network_scan_loop.yml.tmpMD5=8685FBACBB7861F82D4594B549A6CDB5,SHA256=E91775F33FB6DE3C6DA67BAC2B9A9ED0712B5025164CBA8D3EBBAF61FE3D72D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.594{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcalua.yml.tmpMD5=A38CE51CD5BCBD0E4227E3CB9BE439B3,SHA256=23889E29D77F6DB7D12FAAC58AD3ADE517B3E8F6CB93B603DD1CD8D9691D5445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.592{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_wsl.yml.tmpMD5=668FBD7640822245FE3CCA4F519C384D,SHA256=7D85991945B76093AF9F86150830E900869B10C99B3442CE6319FE77F10323F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.591{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_findstr_385201.yml.tmpMD5=D55E5AC399B32ED78685C92F1C1A46F9,SHA256=5CA0A6BE7CAD9DEDC18B7016A8540421B60F181A1210A3A981C819729EC0CBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.589{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_rdrleakdiag.yml.tmpMD5=6BEE561EA5D8515619F8EEA6195BEF5F,SHA256=440C417483B5016CEB92E3590685296F6EFDAE0D1A963E8D77CB65C20EEEE26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.588{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_hurricane_panda.yml.tmpMD5=45E86F41970F2AE8A133D07C9EDE9EB6,SHA256=C442403699D70BB4C5DAD4F04727687AFFD375769757488B5B2AA58FC3FC70EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.586{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_write_protect_for_storage_disabled.yml.tmpMD5=17ED479F70C80922636C63B57C2AA30C,SHA256=046798192109E71864100176B25D8FA90249620CCF4B428CE41CFFACE8D2DC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.584{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_http_pattern.yml.tmpMD5=25718AC48FDBB9BCC610FC1CEC9B5DF4,SHA256=C4F81E2EA56075BAB24ED839B3730E8F6B5B850011ED9528A81CACD5B9D45D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.582{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml.tmpMD5=DDE22A269EEFD47E573146B4206A026E,SHA256=4093B248C481FF02D587E1EAB4CD4E139BEA881CBBB76B6D79424167027D609C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.580{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_cube0x0_tools.yml.tmpMD5=70732A06FCCF7397A08FDA6C60507B9A,SHA256=ED6399101240103D97141195D7FA4A2665F8841CB6A7582D4A89D3EECFF61402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.578{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_node_abuse.yml.tmpMD5=4E2CCF1315E79D9A4772E59A6D565683,SHA256=A9311A526A821C1FD40E4D199B1E8E3A371EC9DDFE098B6B4869E971FAECE1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.575{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_customshellhost.yml.tmpMD5=57C79455F02F48AD70B47188E37C101B,SHA256=768F8988AC610E7A2A66AD4FB27114D24AF5714E50182726B12C21BB4CDD6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.573{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_add_user_remote_desktop.yml.tmpMD5=1AC3C2F0322A437F444098693115E3D1,SHA256=B548AA06477DACA2573C418D5D69EC95F6A00EA0F2635D044D688025804431AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.571{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsupport_rat_exec_location.yml.tmpMD5=4987985DEA6C3ABCAAD3B43BD5F9629F,SHA256=0D9BBA3DFE4250CCCD07762269045C5E693DA9B83AEA1188542833EC407D8A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.569{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_lsass_ppl.yml.tmpMD5=C1075F1119048C6CC5777A26506DF2AE,SHA256=A8AB817ED427F00B632CDD93B35018AA3205F81A77437BDC6BC1C4814031F138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.564{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_xsl_script_processing.yml.tmpMD5=4EE8534DFC3C5B11CBFB990DD4E4085E,SHA256=4E4733653FE4667FD68ADE5F12D6DF845DED5BAB5CE5621BD11DD40015175B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.563{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iox.yml.tmpMD5=C94306811A945431429ED83A1DC30C8D,SHA256=9A9B11D94698E5A4FCF7E853EC4E3CBE7AD60255ED90AE8832036B0FE19EB40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.558{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_add_safeboot.yml.tmpMD5=85016E1DEB1BA7851F66ECF7475EEB93,SHA256=B8B12CD8A88B2BA6A374E8637DECB22FA8B4F551624F6D388594AAE281264050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.558{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0F7788064C6BFA9FC4CCA192E66994,SHA256=608B037A46A5FA5CBB878DE41900B9AF399E453B385453501F4F931FCE278A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.556{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dns_serverlevelplugindll.yml.tmpMD5=6A58E17B5DAB92CE19C5FC3D77C04F5F,SHA256=9CFF1B8AF36CADDC54EA4AAAB880D2EA6E66BBF8DAADC049EE88CFCDE43D95B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.555{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_certutil_encode.yml.tmpMD5=CE56050D9BFC4CE303E802F39D19A510,SHA256=18991C30C100414660AEE2D9CF2DCAFB0310662053AAEC4B69C495921EC9DA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.552{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml.tmpMD5=DD20FA9A968DEC56AA78A4F19DA02F01,SHA256=D40B7164B4785CDD24A2A73778935874F1B9C787FB8AB1C4E5A0A13011C8FC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.550{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_revil_kaseya.yml.tmpMD5=B91A0B713D8EED6B498D5AD1FE39B58F,SHA256=3709926EFD58BA11FDE21DBEC38C2BB1AC483F130D5D4ECC8CD90C47898C37C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.549{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_add_local_admin.yml.tmpMD5=CCE5AFE6BFD71F213959D708AE9E7A41,SHA256=233E27B54D74B40D0577905ECB27103E41C66C10C549A1BF836D186B35C04C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.547{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_uac_bypass_eventvwr.yml.tmpMD5=518D78F421FDE68DABAE0179B4213AE3,SHA256=A03295CF4C192DA7533EADCD17CF530018F9E555BC2B1CBBF1400FCACA150710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.545{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup_execution.yml.tmpMD5=01718B3CD180F6A45D9F24B95B2AD89B,SHA256=F1D21D1A9DE474536E98D3AC072D73BCDA56D81812B1B86B205DF67861923C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.543{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_install_quiet.yml.tmpMD5=ABFDB2BBA72109472E5430BDF50F2CE9,SHA256=9B82DE5521D94286F0A0EA890ACF42FDB2ED44D103510C5DD906A35EF965453E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.538{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_certutil_ntlm_coercion.yml.tmpMD5=7DE41E18E9381AF3EBA0D13FF16FB594,SHA256=430148A74A841E37E19A9FCF64AC83822ADC249E8C14BFC83865C1F83939BB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.536{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_process_hacker.yml.tmpMD5=07B8011DBFA353729991E0E35DD3CF4F,SHA256=C3BD7AB222DFAD8F1160F2B64B40A0C6990A122B5BEC2EC8FAFD6D3935D7056B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.535{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_cmstp.yml.tmpMD5=1D89C72A3321F80DC2A97203415F7B17,SHA256=287774EA8FED363AACCC52ACE1BDF2474D1A05A2B1751FD68B57842395866A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.533{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_sharpldapwhoami.yml.tmpMD5=25AA5A63A9DB2E699A0A50F40E7287F9,SHA256=4E9D3E2C252572429FF6B6CB0BA81EBD6245DAE200CA872D116FA9C6713BE2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.531{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_execute_dll.yml.tmpMD5=2296F7DEEE9506C78B74AF2C9A670B87,SHA256=30026E32DEB20AADF8BEDFCB6D47646AB44F7ACE96A8328DADC92BCE2E3AC065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.530{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_fsutil_usage.yml.tmpMD5=FB6EEC82EF835210B7A768FF6D2C2D2C,SHA256=FF122CDD54A9F28CBB5649449C6B5A6436B5C2BBBE29F9FA63C8DCC747F9B2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.528{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_win_exchange_transportagent.yml.tmpMD5=EAA9F998D5D3C5E702DF1895CEE7247B,SHA256=83A8BF857B33D4937A36DC8C53C7052C69BE8BE125DCA1154BD337AD068F656A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.526{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_recon.yml.tmpMD5=C6533793410F8D02640355DF4EB2C5F0,SHA256=07D3B577CC52E7FF5EFF842E4A73266AD2091F8BF942A855ED6A07DFE2655FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.523{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_unquoted_service_search.yml.tmpMD5=589BD8637B03BE9674180DEE7809406B,SHA256=A5AF535E985B7351103B6BF9B802CAF3BF018E67C1F175CFD3E9CFE704A3F765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.522{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wusa_susp_cab_extraction.yml.tmpMD5=1FA8ED36ACC417DBA99F5CDB47210500,SHA256=CEB47582772CA5D5671E2E0AAAD7866A675F1793873EDEB6EE55239CE564CA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.520{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_system_susp_paths.yml.tmpMD5=C133CB3B8A3A314CC55D388ABB86337E,SHA256=6290E221B9DFCAAF174ADF8E2AE490CF8A5A16E176828EAD7DC800D00D11BC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.518{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_wocao.yml.tmpMD5=D8BDD11055B36EC2FA23E55DC5DBC450,SHA256=20A5AE21E014557765A68B576C510F21DAA42F0BF01C68D23ED2570641A6176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.517{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_anomalies.yml.tmpMD5=EA242C887AE0606B328B493E5F5A3B76,SHA256=B5204690F964AF621BCF92EDA567CFAFDDA0A80A0F2EB1D28853301BA82D7CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.515{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_exectution_via_wmi.yml.tmpMD5=453C5C4D2C988CA11276DEA6AB0628E0,SHA256=2C87D67ECF5622341439FBA9180AE3A8681723E556DA2EB5C40159B7F0E66515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.513{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_consent_comctl32.yml.tmpMD5=9F142A9C78B617C819A8702ED0587CB0,SHA256=D066B1C791D3A5E241A0379D5496038F4E1D552B7B5912D85424FD029258BCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.511{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_stdin.yml.tmpMD5=CA03435A29F2D01EF639CF66B8001C1D,SHA256=663CA737D530A8DB3BB985890D162ECCE7AE83B5201D29922E31E31E558097F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.509{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_delete_systemstatebackup.yml.tmpMD5=5CFE7D35002EE9394910AE12EA2A3EA9,SHA256=F607F48415477791CBDEB32B525CBEDC686E9BBA9E098D7A9680892F7CE77514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.507{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_chopper.yml.tmpMD5=269591B95C02CB02F2DA0BF0E64E6D5A,SHA256=1F51C757C7955D3162ED24ADE60B4EA1E4AD6EF868C4CF9A9EC49E3EABD581A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.506{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uninstall_sysmon.yml.tmpMD5=A5D9458EFE979F2D21513D23D65EF029,SHA256=9DA29E0176AD510F8834EC6BABA94E29D8E6AB378E9D68BF1AAAF0B4B0FE27F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.505{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdeploy.yml.tmpMD5=233ED3B1D11F91C31CDBB5843AA296CE,SHA256=28BB00B8C4A3820A324DF85DDB69ED70CC24E4B83787868C79213AAA688331E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.503{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_webdav_client_execution.yml.tmpMD5=D8A55E437F4FF5778065F6708FC1E11C,SHA256=27F4A8A688B67EF21EFD023FF3B0200E5D4D92656330DF29EFC7F5BDC58F56A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.501{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_path_use_image.yml.tmpMD5=083245BC7E22D736E8EA00B0D3775736,SHA256=FAE2A9F160FF3DE6E0661458D7DE25BDFA9527AA4ADC6DEB53317A42B02D56F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.500{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_delete_all.yml.tmpMD5=AB6AE74D8F1414E0FF168C0BF18C41F4,SHA256=B8FD69329248DF4B8B13F28123F81BC51080E78CED9AF865CF66178679B4901C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.498{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_sys.yml.tmpMD5=300DAD2911C5DDA0A538EAE7710402A8,SHA256=112DB57EE25CF84929513D13518DA3BE2F73C5672528A0B9B6A09CEA1FFD5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.496{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami.yml.tmpMD5=774BA73E7477C6DEA956862308F4FCA5,SHA256=A86828C3CEB5A0F508E688FB3AC783356D031A743981237F197E58CD7E34155F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.493{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=DAE474CFECE24EB970872C2E65B03F6F,SHA256=A9139B10BA90AA3E4F8B136D8FB835FEFCF845113C2920F733A9D245E511B70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.492{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_getprocess_lsass.yml.tmpMD5=65A08620A33F386EDD3E0A948686814B,SHA256=A0A94081BF1F133E86FA7279B00CE8BD296DEB3470CEDE9D7A560FA28A394FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.490{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer_nouaccheck.yml.tmpMD5=EF7AA6D09AC8AA2D42D3CD899EDF3BD4,SHA256=9870F4FA73AE82A42392125735CC2719537AE5EED4ECB309CC2B3D748FBCA584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.487{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_eventconsumer_create.yml.tmpMD5=40B87C0674266D02A07EB03406D4670E,SHA256=066EAEB053164714E57AD02A421BC1BE7F16636F3E5D379D1C483B12356C0C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.482{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_embed_exe_lnk.yml.tmpMD5=933A411C5FA2828001FAAFC0BD1C30FD,SHA256=28DB6405FA1E45521797967FB7A311402627FED7D8C5BC3EA9D5FC582F3EE110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.481{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_winnti_pipemon.yml.tmpMD5=C9719510BE5BC524D40768AF96D9621D,SHA256=A9BB25E71070A201FE778ABD5EC7DEF3BA3A54B845E86E44A9ED7D8745725002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.479{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regini_ads.yml.tmpMD5=61122BD55DB99B35B1DAAF149B916B4D,SHA256=9E2D3E61BEDB5AD26ED981A68B0DA6A24919052913A5428577F3AF6461E12F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.476{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysinternals_eula_accepted.yml.tmpMD5=38537067C5A52FA970218C8705D2FBB9,SHA256=9A2D418CB0C3B58D57FD7564370C7810672FA963426907E7FC16E00CE61789DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.474{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_clip.yml.tmpMD5=AF62352C2011C79445D1205E3A35B550,SHA256=E6C759C7989F39E83AE229F89005C40366DAEC1E01654337909ED9263E158084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.473{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_findstr_lsass.yml.tmpMD5=B781BD55DD6B12025FFD7A81A291DFA1,SHA256=7F8594EB53D21B3BFCA8CBD9827106B000B2CFE9F2D14C048F03DF502CE57743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.472{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_use_image.yml.tmpMD5=5F80DE924841A81D631BA0D58DB79B1C,SHA256=8143B24AF80E3886BFE64E2B77A79C90D91ADE20B45518B76C1B71DAEFDB01C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.469{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_0261.yml.tmpMD5=30005845C554FFBC36264A378D7D4D28,SHA256=82E49C6EF7EDA6F2304FFD9E8B88A561508757C711AB6854415A49EB23217CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.465{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_paexec.yml.tmpMD5=A752B6EA08385C2AA3EF5229776A1100,SHA256=9031FFEDCAF9863CB59615F3925F5B81EAAA1F6E5C36C611A504D63180DEF372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.463{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_path_modification.yml.tmpMD5=A21780AF66C4FC1AB3E0E7FD996D0ECA,SHA256=3F6805BF9C1FC3E631366219D96BF37ED4316ED30CDED6005F11D1D794B3861D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.462{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_import_keys_ads.yml.tmpMD5=99B0ADB43F92C5B8EA9CB9C1238891E1,SHA256=DB491436EB448A36B711276F5081D104850E9609B1085D8A860F7F4DA3B429D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.459{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_inline_vbs.yml.tmpMD5=9578F1573691483AEEE7A4F609927BE6,SHA256=9255838A41B8C4C7DA5BE299B46F2E531F49D8B60D9F529443D19D1512058438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.456{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_use_admin_share.yml.tmpMD5=B6A7AF4951342FAD01378692B1F1FB00,SHA256=73A0E6518AAAC3C79436841055D1BEAEC81B63DB77F3E83B6748163F2F9F1490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.454{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ilasm.yml.tmpMD5=DE65D9BB16CBB7EA80D233E90FCC162C,SHA256=B34EDC0A7CE95904D543BC6EC10DFA5CECD1F6DB8C496A7E3041DDE8B1BD01F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.453{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_schedule_type.yml.tmpMD5=7891074D3DB7C0EFCA6955525978A586,SHA256=9FB0DA48A37825DBE27541F0932E9C20A9748B97E01783B697D3A6A685CE8193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.451{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cleanwipe.yml.tmpMD5=46245996C27C984F4ACFC4015E15D27E,SHA256=78ADCD89EDD318CF2DB0C07C1362559E4C5E7CD445BC02F2C91F4C7C47E6F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.450{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_logoff.yml.tmpMD5=87F3B7E3E22B823293D39430CCC1B511,SHA256=1322EC19BD58F4B4AA1C5560B5F33311185901C767508D932C26852FAE1C478C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.449{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_handlekatz.yml.tmpMD5=87F94728D38EC5A15F4EB9BB3B1858CC,SHA256=809EFC1ECBD4764D4D1C3F1C1751127E5BA1C07752C689F1984BD36591F5EC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.447{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_file_download_desktopimgdownldr.yml.tmpMD5=9B0AB67A0832163F4A0CFBB4A2897EBC,SHA256=54A972E811F9EFFA463B700BEB066CA58C6CDBE808EC4868CF147E12BFE99189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.446{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_formbook.yml.tmpMD5=50C56178E5226492D85C7CC231F143A9,SHA256=833C214B6182E754CE401127391BA8737723C146242DE350C3A4FA251EF9A38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.441{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_flags.yml.tmpMD5=6E7DBD67F56C1F927BDD5579BF30544A,SHA256=2FC507F7C6D8BDCF6DA7AA2B5C92DD900E9B8139DCF0C4375F429B97DB16A4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.440{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_procdump_lsass.yml.tmpMD5=6216DA70A07CFFB325F644C19E8D0458,SHA256=0D99A05AF1465B86BBE668C98F2948CDC6494A87721A7121173A6F18161ED118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.437{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_emotet.yml.tmpMD5=55DA43BCE450B3F8B1D3F00DA56048D9,SHA256=864E1403E10BB1686A7C73B0B1015EE4C25ECC2E823B57410C17F125B33F95BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.435{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_modify_group_policy_settings.yml.tmpMD5=7AB54CC7EDD3E649F3C6B72A8CEA747D,SHA256=5F84BAB432BA9F76108DB426FCB5CFFD03A0D1ADBC9130FF3118ADE227E38403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.433{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_bloopers_modules.yml.tmpMD5=EBBCF1BF67506988BC6F4E1E7094FC54,SHA256=20FC316FD15BFF6A79AE5740FCBE7B7AA035912258B625A47320FF705880E41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.431{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_child_process_as_system_.yml.tmpMD5=41580E21479888802D549ABA38304ED6,SHA256=80C5C73022E40A6198D779EAD42A4799C43D1CC3C6E8B27D635449681B28E31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.430{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nsudo_execution.yml.tmpMD5=683CCBF9AAE5E7DAFE4A43F4863C9E0B,SHA256=8A0C8667B9FD5091C4C92F09A16367425DAD668CAF52936C416E40774D64013D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.429{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_dismhost.yml.tmpMD5=4941938A02E8D5119BB7AD36F9EE352D,SHA256=B94803484FF2754855DE4F9B95585090008288EDAD72A7E835967B4C4D106FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.426{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shell_spawn_susp_program.yml.tmpMD5=620761F7B73CE837FF031CBBEFC617FA,SHA256=79C26DD5EF08D20E8DE5C7CF5A97B4AF9563F8E83EF1445B1AFA40B2D8F4EC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.425{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_evil_winrm.yml.tmpMD5=651D925EB07641173F40E4601CB2CC18,SHA256=39A51E91CC334DE3F98F6B0B0896ACF69777873E63A855DEFC9F94A071B3FD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.423{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml.tmpMD5=7977094131FDDD4B48CA74F559A9494A,SHA256=1430B30F8C52696B556978DA42AE986BD2F0911143D4803F0137484B2454ED18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.421{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remove_application.yml.tmpMD5=FEC4AB958A3EB5E0CC9576975BDCB732,SHA256=C5C51E446C710BB5BCF450DD0272EEC7EDB80FBF0F3ADF02DC0B1D0C15169F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.419{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_mustangpanda.yml.tmpMD5=E8DFBACF7E8A760ED13AC6DBFCBB6CBC,SHA256=84F6CA9C1B36560FE3F14B16C1692384432AFD36DAA7F89FE38F8BF48641C80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.417{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_spawning_wmi_commandline.yml.tmpMD5=8D80F636AADEA6B4BCC9467D43A92C65,SHA256=59C82005211E49F6E43149AC8D8FFBFF276797F24C03928237375DF5D2EEB383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.414{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_silent_install.yml.tmpMD5=B4EA34857982D372967D10C45207588D,SHA256=0A562F86D5995F81F5A87DCA5D65D279C7A08245A32F8EEAAC665C588CA29B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.411{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redmimicry_winnti_proc.yml.tmpMD5=73236CF252815BC900EC94618A1AEF59,SHA256=0E6CF01805E736B048CCFA6E6692C36DF3F47E91A67477D804E02DAC5CD85E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.408{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_cleanmgr.yml.tmpMD5=1466E048CE62874853296E73649317F5,SHA256=0C3F15C0FD8449D59A6075081672524DB0BA495CBDC0729634363517F0A9E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.406{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_pkgmgr_dism.yml.tmpMD5=95C98E693111EDCEF41AC15AB8BDDA7E,SHA256=F4C48053FD79541CAB3F95568BD112E3F7832B43B21D2C523321201B2EE0E878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.404{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gallium_sha1.yml.tmpMD5=6DCD697D8035BEC9E2F4ECF85437B177,SHA256=3C9A0D51ED79C10D19D6E0AC92F10CA3B1351752837345907E87DEB911E05CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.401{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_data_compressed_with_rar.yml.tmpMD5=FEFE32CF4D97C839848215A770FF236A,SHA256=6F19ACCECC7AAABC5C96C4F8C157E94966B1535FE13F17BA28EFC193FAD6323E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.397{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml.tmpMD5=7FCB12AB8AF4BC4AB1FF6F26FF1ECA6F,SHA256=FE2374C86E555C20BF8679CD6B1C471510662DC0BD1FBCE8A305D80D67AC761C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.395{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_disable_sec_services.yml.tmpMD5=45E94D8062459EC806CEF92A776C812A,SHA256=3E0256ED476BB75A3FC540D46FE1DB3C2AD3A1620659B06A886828F1BCF0C554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.394{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_new_service_creation.yml.tmpMD5=3F991921760AE7139F76E05A32FE3389,SHA256=E71DED7D97B0C319384EFC851F30BC0A1F38AB7D0C5CB06624CCF295880EFC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.392{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cve_2021_26857_msexchange.yml.tmpMD5=12248A43307768B1E069B38B2071B88E,SHA256=E956CAE4C0B630593FEE5A0051DA8A26B9F4719A5457D9363F90F8359520EB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.390{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_by_ordinal.yml.tmpMD5=AFE2203A803AFFDA3BEFC95E95B1AF7A,SHA256=E2B5F291C8113726584C8BE2459BB59E60DA09BFB0DA91D04BDEAFD89183A78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.389{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_creation_mavinject_process_injection.yml.tmpMD5=84B2F8023652E47750928257B3CA6078,SHA256=5559EE6D54ECB231A8DE6ADE173AEDD61BFB9D71E834516A26BB6DBE70291E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.387{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_html_help_spawn.yml.tmpMD5=C3C035120588A7443AEDFFBC108ED87B,SHA256=34507367A51C1B900CC9223001F7211FF2007D7266223B00AFFC3398430F26CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.385{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mpiexec_lolbin.yml.tmpMD5=68AC681017785D02FF05024C1756A99B,SHA256=2DB5C443F6A69D959B89BDA9D10BD27A2E61A66E31A1A9322F1787550EBC9942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.381{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_parents.yml.tmpMD5=D36A8C4B6DA5C207101CC98862DA87E8,SHA256=F0C8C862D2705EE5204BD7D653CBCAF9F39667E31844F1B14D0D9782ED2C7A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.380{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_load_by_rundll32.yml.tmpMD5=ECDDCAE3525F69A0B07DE65106901046,SHA256=E135A6F498BE691EB7EA250D9CAA30979E6F1CA94AF35E4A0F1C63177101A61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.378{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_detection.yml.tmpMD5=3E3C7FD0F0D40ED3695132B654511FB3,SHA256=53CB5971218D572F844DE052F890F09B807D4EB4E5F3FF78E854D8E335CFC761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.377{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_false_sysinternalsuite.yml.tmpMD5=5F8E50F972F0D2C09562AD01C285E127,SHA256=CD1549CBC47F87D4BABA3F42F36A282FB6CFDAD2A98D8E7564A32F915A5937F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000749671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:52.153{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000749670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.376{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_downgrade_attack.yml.tmpMD5=E331FA94F2A1E4F2E61AD5FF57F3573D,SHA256=9B8E7480C9170B536C415A74DA2CCB7FCF0C2BBF18CD5FADBBC63B718C6E3304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.372{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pcwutl.yml.tmpMD5=7C909B41C1B3D4CB51915A49AED3FBDA,SHA256=3E4B669B373C5A3FCF3D41E28076171E457DD9930F3C9B66E80B5423D7DD8687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.371{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_from_winrm.yml.tmpMD5=8E0F60732407C371BABFB8ABBF31FFF8,SHA256=D6B428A54397DAA38266EA9D79CF5435349B0AA36D8860C92D51363C69731279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.367{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_var.yml.tmpMD5=93C8B64FDA33D91762042B1293B6326F,SHA256=B3BA91DDEAEB760554A1DB80AA8408D7CA8F3049F1ECB2A8E6215A7CD137959D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.365{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msiexec_web_install.yml.tmpMD5=FFC16058C61B45B8200AADF77006B89A,SHA256=FB1C6800E9D299B67141BACEDCC25AA1DA028DEB5FF2D2BCFD981ACFE873AE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.361{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hiding_malware_in_fonts_folder.yml.tmpMD5=3B812CC864F4CD14DBD1DD38F5F0C506,SHA256=1FF0260CA710D8CDB86F72128D510331159C7D0C4D0F66CF6E11A7A59AF74EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.360{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vboxdrvinst.yml.tmpMD5=183C36C3A0C4235E5B4D3EA03098B74B,SHA256=5777282A74995836F0A205C6E7729C560740F168A09F404F6D5A135882250449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.357{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_system.yml.tmpMD5=3D0FC999EBEBA3CDD8E6B61F5D4BD8AF,SHA256=EC9CA67051A662DC153B45E8F3D51F92D19CEDAC7EB8A40CFFE53F8E8A29E95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.345{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EF8D074A5DC7E41A5DF04EAD689C6E,SHA256=4F7ECDFB800E3BD575973188FD7F60CAFCD7473B68927FD1B834AA89DA721D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.345{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_applications_spawning_wmi_commandline.yml.tmpMD5=7227BF7DA3332C69649D6AF4F8B1B969,SHA256=FE356A81E3916BF80D2C0349CE4317AD14130AD9339367438DB72A390EB8ED1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.131{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49715-false8.240.214.254-80http 354300x8000000000000000517999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.080{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49714-false72.21.91.29-80http 10341000x8000000000000000517998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.927{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.880{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.880{5C0BDE06-1A77-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.880{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.880{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.880{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.751{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.747{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.747{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.653{5C0BDE06-1A78-634D-1200-000000008502}1020428C:\Windows\System32\svchost.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.640{5C0BDE06-1A78-634D-1200-000000008502}1020428C:\Windows\System32\svchost.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.514{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.514{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.514{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.514{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.498{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.498{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.497{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.999{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000750272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.996{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_xp_cmdshell_change.yml.tmpMD5=E2A66E32AF533F41632A0A9EAA91FA0E,SHA256=FF53C3E73733548F0B5332AAC8F51EE7FF56BFAC57693861B3C40102B5913AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.991{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_susp_backup_delete.yml.tmpMD5=604812237C5994B64B0A0D8E266BE2E4,SHA256=6828DA487616DC5D41C6A6467CE19D3FE5A121D8E6655137780EBF14A1D142EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.989{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_esent_ntdsutil_abuse_susp_location.yml.tmpMD5=2C8659B981690E1546503BB0A82FBFCA,SHA256=D3C9202840751CD9C4BFB88E2563FAA10DD0139843AD9B35CF9048F9D4FC5486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.987{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_vul_cve_2020_0688.yml.tmpMD5=2ABCE5813563B9C1DD50A112A6E6DFC2,SHA256=003BDD148866E0EE955F5FFA8AA485750B875E6B42EEC58703324EC11699212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.981{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_vul_cve_2021_41379.yml.tmpMD5=41DC07D90152D0B6DC665B2E0ABEF653,SHA256=DCEBB3537550767A3A928036D304A14F31DE680F4487EF7FB67AF5C4689B5423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.979{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_msi_install_from_susp_locations.yml.tmpMD5=037EC8C8B32335477EE8EA7A73DA6549,SHA256=BBC86DA5F88F545AFA707A59102C023AE4E7DC76FBB65AB0A65F2BDC9A86E59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.979{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server\orig--win_susp_dns_config.yml.tmpMD5=3F063CB1E592ADF597FF7D51FB81C47B,SHA256=ED3E022E8801049AB8601071C030814755D9846892DB015FA0E9E8BBA0041BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.976{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server\orig--win_apt_gallium.yml.tmpMD5=9BB788FE4E98C954EDB1BF3C62722E9D,SHA256=B8E47C7EE24B6FB79CD5DF121AD4257523B278EA30FF6CF99AAF730AE9CAB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.974{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\orig--win_alert_mimikatz_keywords.yml.tmpMD5=D75684059AE609695265025A754C3EFB,SHA256=73D193CC0D96C7D5C128766685F80B4B0FE238DDB2544204910EB09CB808D919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.971{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\orig--win_codeintegrity_failed_driver_load.yml.tmpMD5=B09277364AD2900DC232907A94094489,SHA256=5EEC7EF35E3C99DFF24E5FBC9E39C43434BF91A559265BC5A4C876D27D45AF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.969{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\orig--win_exploit_cve_2021_1675_printspooler.yml.tmpMD5=3F3A739E54841ACACAD35C6CDC78346D,SHA256=5B22BA4CCD86B2D05C950F52B530F5BB77F87E35A1E44EDA5814C63F940620CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.967{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\orig--win_exploit_cve_2021_1675_printspooler_operational.yml.tmpMD5=44904D09CAC534D27362B8EA20533770,SHA256=0041D823BF7DA5DD09C480FC8AA0422CBDBB76C22274723394612B693D32B055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.966{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ldap\orig--win_ldap_recon.yml.tmpMD5=D15EF3E39F9C35FC2784AC0509595BE4,SHA256=C12607BE1FABEEE31D315CF3B1C38ABF6C05FA73E9FC10E17E7088BC59E54F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.964{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_brute_force.yml.tmpMD5=3AA0883A99902068A11483EF5B187A3A,SHA256=6AFBCF24A3FBC12442067FF112DA325AA55019D5A82C25F0426FF40C01293A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.963{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_auth.yml.tmpMD5=9D34E0DF88958C4136C75350319AEE4A,SHA256=3C036B3629C1FD48F793AEE51DA42658EF59E6CCA70DB48DE27173CBC4D91D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.961{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_rdp.yml.tmpMD5=58EC29628CCDF9FCCFEAF560F53DE6E4,SHA256=614637C3D39D9A8FCED2FF46EA4686A7E388C3643212F3711B02AFC7224C3732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.960{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_failed.yml.tmpMD5=0ADF7AA3AF2BCB06344B85CCE895C96C,SHA256=4CD5121354DC3DB56E8171D7084B0AA900125F42FA90B371178AFC85DEF24F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.958{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_setting_change.yml.tmpMD5=5E3D37F8071DCB636637ABB1301F01FA,SHA256=B8BDE29CC750CE044E562A0BEA603B5F797368D358BAB0B4A718B5BDECBD3ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.957{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_change_rule.yml.tmpMD5=F29F32B1C37EEECA7AD71676769D4A5A,SHA256=F8B0582F4CB1523F92B4BBC950B94E7312F334AEB62289ED247C9CB421C3187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.955{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_reset.yml.tmpMD5=344EFFCA7F540413A64B10F49CCEDD04,SHA256=0FAAD9849475A7F3367B61C19E561CE669DE8FB2BDFB19955C315F6CA59BD688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.953{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_delete_rule.yml.tmpMD5=3AB5339DC61900CCC571349FD08FCB65,SHA256=7357218056BBCF02BCE3AA8DC2476EA835944CC84F60D9D2902F080AAF883F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.952{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_add_rule.yml.tmpMD5=558D7ABA1065372476AC1A61B3E14434,SHA256=0B50C9DA4FC82A67A65DFCCACE765DE3411A277E9F3BD692124CE3281E3F03A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.949{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\orig--win_security_mitigations_defender_load_unsigned_dll.yml.tmpMD5=C2EAFE218C241EA986FAA9F10C1E4D7D,SHA256=43A0EAC85EEC7653FA53843432D152D70A2C6831641FC371180278AB88BEEFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.948{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\orig--win_security_mitigations_unsigned_dll_from_susp_location.yml.tmpMD5=1F586D4055F4BB00AA35479B2B68DD58,SHA256=673E021D8C59ED3CFB7217C18094B1000B004147F7CB078DA6823AAC00A66242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.946{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\terminalservices\orig--win_terminalservices_rdp_ngrok.yml.tmpMD5=A718E504F44261B259104DDEA1851EFE,SHA256=CD4ACB5FEB195CF01DE93CD1FB862BE4845FFC4C042E3C8E1DA6F828D6CEA2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.945{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\wmi\orig--win_wmi_persistence.yml.tmpMD5=17B140D4ABA73746C7E9FA231F99D4EB,SHA256=A4E8091C2F0FB6D8167E001FD24CE3AE39DCAE61ECF6BAC57507A2D0F5207BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.943{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_certificate_generation.yml.tmpMD5=E5AC5DA911D17EBEC3CBC7FE84C04087,SHA256=ABDB350D00C3E46E41ADC6764FFD00C3E449EB3EA045F28C0317E8E0DC9E9ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.941{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_cve_2021_42321.yml.tmpMD5=50827B86B3AD8AEA4C9B6F7BFBFB37AC,SHA256=3EFC3F4B074446AEBD353D88F1A0176BCD7E5DAFD74ADEC5E4D713DD1DD9D2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.939{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxylogon_oabvirtualdir.yml.tmpMD5=485F2895D57AC04F961F9F28594D30C3,SHA256=0ACCDB37E78963D315648CC72FC49BD4DF8F4413B3901A2DAAF342A6203450FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.937{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_remove_mailbox_export.yml.tmpMD5=780DA56E488F402CC8EE4CAA4B4F10C1,SHA256=6E5B3D3E5DAC9F11D3215E74EC58AC04293836A5BC551C63C2C95C1735868D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.935{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_transportagent.yml.tmpMD5=F77E71A8F4681AEA3106C827709BD8D0,SHA256=01A53A01F1523CF28A687F0C914A34BEDD49B4FDA043B356D68315EC8BCEAD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.933{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_set_oabvirtualdirectory_externalurl.yml.tmpMD5=CE89CFD26E065591F5F822EFF8CE8B1E,SHA256=2733C25C308E2420E0A1E27A05276A4F2CD62B6899B9BCD2AEE91935BA6A5BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.933{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_mailbox_export.yml.tmpMD5=9DF528FB155D3BC0A13C3D99BFA44A90,SHA256=7520DF89001E9FEDAAEFC697C22E7ECAF636725854AA393B53C525FC682CA25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.931{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_transportagent_failed.yml.tmpMD5=6B65032DB2C1452F18D78E0B30676478,SHA256=345370CC1F6244DCDC1925C356F1C8BE85DAC078AD84E3B5FCA54A1A8B417267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.929{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\shell_core\orig--win_shell_core_susp_packages_installed.yml.tmpMD5=07F5095854486E44D14614DFD9136BC4,SHA256=9544A03E03E1634BC7B6BA32FAFF211F637473EE46AE4E40647D69DF22C5E91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.926{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_eventlog_cleared.yml.tmpMD5=47A9E4291CBAE3F163524825BE2D3443,SHA256=4ED30CA2197FD9B163A0ECC74B724B3069125EEB5E95BDAB11735C63C4BE5E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.924{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_application_sysmon_crash.yml.tmpMD5=AA500CDA93A81A881553B7F03CEEE614,SHA256=A62AD361160A063635CF55F65B238A9D97DCC0088278A309E7B227AE6787090D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.921{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_defender_disabled.yml.tmpMD5=E032F2F17B878B6F616166022F40E9DD,SHA256=078DE942C0F99A4D4A32D7083BA7E65551DB094F3E29CDCE25AE1015F5C391EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.919{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_service_installation_by_unusal_client.yml.tmpMD5=B24B67D3FA673D5AE44F81B1542BD90D,SHA256=AE615817B1BC8FD8215F2EB8BF9030AAE947243CC6A585562A698CB053D05B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.917{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_metasploit_or_impacket_smb_psexec_service_install.yml.tmpMD5=D67F963854FA7E1E1614212EB4211A06,SHA256=CFE111AD836417AE315F8129E0C8C3DB95FDC59469CC97C4A732E1E0325903A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.914{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml.tmpMD5=A229D115914854DD7C9317D1FC39109B,SHA256=F2C4D6CA033D7A80659B2F72BA578CD92E758C4D0658C6F9C5821BADE43A1C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.910{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_mal_creddumper.yml.tmpMD5=3CCF434468A0A2A04235E1CEFCFC824A,SHA256=E18A1C5338A5C5459E21244C7A1FEF36C34CFEEE037707E278C3B77D614EF24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.908{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_powershell_script_installed_as_service.yml.tmpMD5=E1D293A52466C5264D5919650F2B2F01,SHA256=4BD2AD0FD2EC8C46E3549C4A95C6C5D9681CAC09CE64CC84CD86BA60BD310839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.905{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_tap_driver_installation.yml.tmpMD5=747DB0167822941E021338BC06ACA256,SHA256=BD49E7150A442F430CC67F4866308EC5C041989ADC3191BF62C4ED2B05C01B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.903{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_wmi_persistence.yml.tmpMD5=F63AC425C34B9AD3764F65192CCD1076,SHA256=63BC485C01FCCF1A3507185A52BDBE5F1E043BB6C4A4FCF3D2EF9AB0C41AE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.901{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_cobaltstrike_service_installs.yml.tmpMD5=4FF8E2DDC275499756517C74D8DDEB88,SHA256=5237A0F649848F102579A90F4A917B1F6105AF07A8B43B21088A544F9730D5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.898{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_mal_service_installs.yml.tmpMD5=FAEC227B6D0708B447177AF169AFF009,SHA256=ED1F4C527EC09D0FCEC0F54A45BA7BA3C8A9E94D02058507DA409A636C9D8FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.896{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_process_hollowing.yml.tmpMD5=954C711755E8AF950F4F168E99A579FF,SHA256=C1E46927087636DFA3A488D99D1276F6150036EF8CED11217C33D3E29A818B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.893{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification.yml.tmpMD5=DF0280E75AE60CCEDF97E28BDE8C9255,SHA256=3F33BD6A29B1DC29BC47F2E5A17C437648B5A724516303CD4C7FE208922099EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.890{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_accessing_winapi_in_powershell_credentials_dumping.yml.tmpMD5=E2EBECB9891C1F099BEF3D1FE247B370,SHA256=8836ADE493FBF92CB9B4A6ECBEEFBEF87131F4B3A6EEF221366E19954B1E0E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.890{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198D726E3F9557272E873C92BA1F626,SHA256=6B3BAD86C5D39A5103BB6266ABCB0966891C24F34CD86BE5B82F51C1FC2F8E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.889{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_dcom_iertutil_dll_hijack.yml.tmpMD5=94805591140FB75C12C1714414E6CDC0,SHA256=C8CED44003A7F16D9224B944F918ED706D0AB353F732E6E3E6416ADA9FE6E3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.886{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification_error.yml.tmpMD5=4579AFCA3764772FB33584AD2008552E,SHA256=08672EE365B4DCD2CA3BDC453061581BF49B94F055651F65936894AFDD4BBBAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.883{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification_status.yml.tmpMD5=6905EC9C3D727B4F369E2AFF4219C78A,SHA256=2766583F50BECABD327709B8B1DECBEC0FFCEF92262318DC7854A6E598730909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.882{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_file_block_exe.yml.tmpMD5=5ED72603CCEA7F3AC576818877290BDA,SHA256=1C19586A4DFF340B1F4BAB809EC5986DA47B031854DC30351E41047EC26C8C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.871{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_rdp.yml.tmpMD5=AF297E504E32E1E302EA74FDF18C17C4,SHA256=EDF5AF2CB035210559599F447A5350E2DB2E0FD22DE5F1A79A4E9503B40A9C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.869{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_ngrok_io.yml.tmpMD5=5D4DB55504374A0C742A9C6B4E0FBAEB,SHA256=563B460B4E15FD20977243095277114C28DE58E377D900FF68CA24C20CE19ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.867{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_eqnedt.yml.tmpMD5=ADFF664B3E82D1932A7607CB20F77B88,SHA256=E929292773E2F9F761BC16EC9A6373C6BA9AEA5B11A9E9711E24B0AD0635B10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.866{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_excel_outbound_network_connection.yml.tmpMD5=6CBEFAB3220B2616A4115236DA760446,SHA256=2B683918A9DFB058A5578A48B311E5211B4FA03F568BFE0A2D9026961B8DF57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.865{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_dropbox_api.yml.tmpMD5=10E7CACFDC64186E7B8AEB63D9806A56,SHA256=00E449260996C8FEC654D0BEE53CD80037D47720F5AB68FFAF410E0952C5AC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.861{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_prog_location_network_connection.yml.tmpMD5=5BD570248ECAF45A50D3EDDC0568F5D9,SHA256=0B3186FF514C48CF2C98D4BCC14BE59B6521DECB81E7CB1484229270F3CAD870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.857{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_epmap.yml.tmpMD5=24743D1116A976F7E4A2E14098397748,SHA256=4677DBB23F6818D8DC27DE3F7043E343F94D62B38466A1EF70008AAE572BA8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.853{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_powershell_network_connection.yml.tmpMD5=7797A3AEF6FE5F9E8D98BF77794F1436,SHA256=6DE702D6C8F7C33E1594FF9AB1EDD8994869C43E930A32D6F9867B376FDC962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.851{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rdp_reverse_tunnel.yml.tmpMD5=D4156A1AD7CC1AE59B0D924D4FFC1B70,SHA256=0739F3F4BFC3FB03B446542635726E9708F8DEABC7BEDB2ABC7EB1B8EB4D40D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.849{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_notepad_network_connection.yml.tmpMD5=CF5EAAD49035187965F4B1AFE3C82F00,SHA256=5EEC0999A951DC27CECD8EA7A03C6791F37549C2F398D20CB5F436AC41533D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.847{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_dllhost_net_connections.yml.tmpMD5=EAA887596AD5E0E3781C2EF2203A704F,SHA256=608A6305409D6A415B4B7EEA122C0BE9119DC05F4516CDDE1A4B7FA878CBD6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.847{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_wuauclt_network_connection.yml.tmpMD5=1A175732AAF3D623F42F87584BD9B5A4,SHA256=092D8F6D6B1498695CCBF36C9B5A0E89C660639FB70EF1379084AD1A42FA40EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.842{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_certutil.yml.tmpMD5=037EB9ABAD8174C05C9D5A123CFC79C4,SHA256=3710C5ADDC001C194772CFF7EF13F5C6E1C96C61C9CE33C86A51D67EADD60CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.838{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_dead_drop_resolvers.yml.tmpMD5=9D82E848A48CAEA52C8F802B70EAF798,SHA256=0CF07228CC05132C6624E0B7015B65691B79CBB9AF90C962EABE320596BAB1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.836{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_mega_nz.yml.tmpMD5=478D759729AC497087A28BF4F36A2FCA,SHA256=CE1EE34AB867A1F2BE3B520429805EB0C35C083B8DF2A4806F1227DAFF93FFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.835{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_silenttrinity_stager_msbuild_activity.yml.tmpMD5=FB72953210AA3F6D363608B6D8D39FA6,SHA256=F363088DD2228F0278685357F089601777ADE71207B65D441182E98D4CA2CC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.834{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_malware_backconnect_ports.yml.tmpMD5=14FF91C7B9152972247486D21FDA2C27,SHA256=37D1844D9E83AC45A899A262110C317EAD40EE0DEDDA39EC223165DBB2CB2222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.832{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_binary_susp_com.yml.tmpMD5=864A07CD61DF53755F3F2F4FC32619A4,SHA256=E96B0E28BA21727AE7A77EA8A67B4F4A1E7243D82253090EE20344D034C4DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.828{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_binary_github_com.yml.tmpMD5=E7FFC7ACF9466D8AA539FE0108002CD4,SHA256=1C7C07CA78D0464C98FF47A3979CB559438889CB2BF9685D85C9016EA12F785A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.826{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_imewdbld.yml.tmpMD5=48693D97782A1EFC6F40787D1AA3EBF4,SHA256=39311A0CEB0F41B71DA18C6BBB8D48E48F136F421780C8E787E3B7F4CE4970D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.825{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_mobsync_connection.yml.tmpMD5=8E6F2214C61E9DBC780BB14BE4F0F42E,SHA256=F1AE70EC0A8F93578A8B3515C28DEC0838040B66163BD85AC6FBE583E7311244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.824{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_script_wan.yml.tmpMD5=28FCCCD8B386AF322C3878FD45C4B08A,SHA256=B2211DFD517CD9D6401079B2F5FA230D8BEAA9BE11EC7555FDCAB238E6E9DE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.821{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_binary_no_cmdline.yml.tmpMD5=398854EE5572891BD6E2D6D56DC011BC,SHA256=8AB048652F6E663E29E8024F802A78BB61EFEB950DAB07686659D40E8D87917B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.818{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_remote_powershell_session_network.yml.tmpMD5=2020E9711A5FAAD9518E59CC188CA194,SHA256=92DD4E841A24FCFFE5C16A1279E325E45B35ED8796B4037F189960CDD6D3E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.817{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_msiexec.yml.tmpMD5=12F506AA50AE381D43AFAAE490FF8201,SHA256=B05AFC3E9775B21492CC52A888A85FCAB6C92E7ABA73370F55D581081AF4D31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.814{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_crypto_mining.yml.tmpMD5=AF8B9878B7D23B7FE1A260D31665E56D,SHA256=5FFD5AAF7B43A930C37CC5D85669F3094BE956E40CA2077F74835441C035B8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.813{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_script.yml.tmpMD5=15B7A28443146CB7A29674A3EA6CEC2A,SHA256=DA5FB1A9D745848D6E24BCB42CD3AE7A869C578C6AA9EC24C2B58346736DC2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.811{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rundll32_net_connections.yml.tmpMD5=D1F75E01C5E7AAF8EB3E3A218B0A483C,SHA256=138B4BD7D9E38B16093D33A192EA17F2C415B5EAA0098058F723BD1E29925CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.809{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_kerberos_connection.yml.tmpMD5=495A32E2C3E2616B7EF722575FC9B92A,SHA256=5B81D4EE5D9B7D630BCF4ED588A0C5CF80FDF14CD53B433CFA736C08E35FACC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.809{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_python.yml.tmpMD5=05645CF9A84CA51C3BF5020FA672F84D,SHA256=4A8E293892C605DD7EA6033BB30E456F32C7E88D1A4CE78C9E551978B17D7500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.806{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_hh.yml.tmpMD5=5500BDA6ADDCEFAD966A3142C1330B99,SHA256=1FDD60145F6C9ECBC8B3E3544629852661DCA122296B63C20F6F38DBDF5206E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.805{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rdp_to_http.yml.tmpMD5=E937A3A595F31EF37591685D1A950CDA,SHA256=3C4827C7DA448258CFDABA967B16EF73BD8208CFDD343A6884C4F5AFB5E3B576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.803{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_smtp_connections.yml.tmpMD5=AC0A98D65952065E8D1A3D16D81193A1,SHA256=1744D72965A400C75D90A9C9582DE0EC6FBFF597F10725F7A39A319A1BA58806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.801{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_regsvr32_network_activity.yml.tmpMD5=422FDC6400D87F55481A446FF8ABFD50,SHA256=AEC68F7A0ED7B8B7914370896BC2009BE44D9F48928D049AB7211E4AAD096A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.799{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_cmstp.yml.tmpMD5=A8A737E460F0CEB76A84E7B69F713733,SHA256=2C7D7D5144B4B91A4518F5E9E501B3FB15322398ED34D2570B1F21F2A479FDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.797{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_ip_domains.yml.tmpMD5=A9A22B2CF8306F50E3E9951DDA9EDDDC,SHA256=0799CA24392C94596116AD39BD4F6162138AD1BC5BBA7ABA09A92292CFF3B569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.796{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_hacktool_download.yml.tmpMD5=2A800D4C6F60BC8CED1CFC4D65A0B0BD,SHA256=923271F08AECA642679955CC6124B0BD61DB174A61B1842916E25C003AF11CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.792{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_domain_ext_combo.yml.tmpMD5=0DCA7B83498486867BD6B00B9D2DEDCB,SHA256=E93D3C9C2BAD1E9FACCBB3A4FB755BAF385CE8CA49466E90386982FD9D8AABB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.790{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_ads_executable.yml.tmpMD5=CEE7E53918A68F59C0F7D6F6AD1DF6CD,SHA256=9422E244242DE7A337101A616C70E07BFFDCA4681A0CB352EC8B7073D6F897B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.787{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_regedit_export_to_ads.yml.tmpMD5=8F66D0F2279CAA34D2E1E776C5322E04,SHA256=30E8399CBB579BE8A1890D20D7194B38D64AC982109E3AB129E4E9C72EAEC00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.785{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_domain_ext_combo_med.yml.tmpMD5=DAD633728DB88E32DFF5201B563B9275,SHA256=320077F0A2671F726CC7765863968461FEECE4CFCA72A1CE51541ED7810839FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.783{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_ufile_io.yml.tmpMD5=6806BCDA521F281D01A44251C3724B57,SHA256=4C896FA3727771B686D3705C761F4AA90FA884171450E1D6653C790D5093CB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.782{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_ldap.yml.tmpMD5=E39513E0BA532D90F609E3665FFF4CBD,SHA256=26CFC3DF6B853C6DAF4D7015D89B9CE6B0B01DE8FF009E420F1DC2AB0D14AAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.781{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_mega_nz.yml.tmpMD5=F300DE8EADD86E9A828712FCE1B0078F,SHA256=2EB1D6C78E54790CDCA571634972FE6440473197C9E7469CA18AE998A644A89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.779{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_anonymfiles_com.yml.tmpMD5=1991A737AC30ED38E68C3A8A4C1027FD,SHA256=9376AA08124ACAB23D5BE0D3F498C4B61992770C6AF0ABDC48F42E3838AAF4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.776{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_ipify.yml.tmpMD5=658A8044C3CB6044DF182424D7D3EE62,SHA256=77D07B5906A1FB2F4B9CBD91E6700F6F7FF1770C876A02509A842D907B3D9586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.774{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_hybridconnectionmgr_servicebus.yml.tmpMD5=942F35FCA82F68B50B5767AD55495818,SHA256=7D93AC5A44E7173428646673A7DED8AA585428B6B648083EC7C2960F5B7BD557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.771{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_tor_onion.yml.tmpMD5=4D1D666F06641889A620A130D65BB2D4,SHA256=F1160619AFE841BE09DB1A284332ABB57D0B44E8537D0330476901D265D6482C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.769{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_remote_access_software_domains.yml.tmpMD5=32ABC309C4F7139A2FB2B6E7B3EA9307,SHA256=B7192F8D8C27E25D550D3EABED2850269A15067C8E3D5A1053E54483449B07D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.766{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_teamviewer.yml.tmpMD5=522ABD8EBBB83C06FD46F9EED056B2A6,SHA256=4376B3EAD12847BDB7657C45E351CB7E0AE40A472AE4A345DE29046818BD397F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.765{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_lobas_appinstaller.yml.tmpMD5=A8EA7A4F9C9D55CFB9749C3DF58449E0,SHA256=F1DE2E453CEFEA4EE31000D1DA4DA49A85C657A33E524508C948C5AAEAEA1507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.764{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_regsvr32_network_activity.yml.tmpMD5=225B7D4742DF01DC3A408238AD3CBCD9,SHA256=53B814DBC82C3DF645555C3D0153ECA58428F0252836F3F407931955D3844BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.762{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_possible_dns_rebinding.yml.tmpMD5=3D409E90B1FCFED7D29024364ABED99E,SHA256=8C8742134ABBC104F9BACCF5D7D2E6B4BBCF958AFE874EDE1617306EBC8CCD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.760{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_mal_cobaltstrike.yml.tmpMD5=E94072A4488D295CD30EDF93FAABD132,SHA256=FC80014EF71DD877E5DBFC84D059DE682065CE449077D068387C6CA6503C8A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.756{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_mstsc_history_cleared.yml.tmpMD5=8571363185F64381F872A87144380414,SHA256=5D8165E50307554C5C3E2543F9024A31C3242D79AF3878AD9ED2B5040EC13691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.753{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_sd_value_scheduled_task_hide.yml.tmpMD5=BC17DEF6AC1F1D6604BB4ED53ACA298B,SHA256=1956BBAF58D4979309BFE0D3C9BC1D9D3BAC1128DCC305EFF1254ADBD64FD6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.752{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_index_value_scheduled_task_hide.yml.tmpMD5=B78995600DC55961C1CD721F278DC639,SHA256=71E58727E45E6C28DF634B1CD603A94E57D4D8DD24BD2A11BF12025590F6A672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.750{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_amsi_registry_key.yml.tmpMD5=2891603084DED1C0DDE8B606DED9230F,SHA256=2D72F9F9733C9D552ADE18592779FD38FC6DBB540A910BA0552271D425905694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.749{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_com_hijacking_registry_key.yml.tmpMD5=1219B27D0455C10821C2D9ACD87DB475,SHA256=954522D044562D0AB250DB3A67CDEB9A1AC20A1CA979F51B6504FC7BA2DB3D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.748{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_exploit_guard_protected_folders.yml.tmpMD5=C121DEACFE8B617E1B2D59DFA524BCFF,SHA256=1116CFA4B38385B045D17C1FBB951A401373F8F9092975AF47C64EC4E4DAB3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.746{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_sysinternals_eula_accepted.yml.tmpMD5=59BF7FEF055905197BEF497633FC6195,SHA256=6852F1DC8AA2E07FD40B962752EDDFAE2AF9EA4E146CF0ADBE3378A79FB835C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.745{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_set_disk_cleanup_handler_new_entry_persistence.yml.tmpMD5=0CC19697EA4B904C01CA68F566DBF5BA,SHA256=1792EA3ADC32C6B8B11FD750A9105E9381B18D090755EE203F94B3A0C587D792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.743{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_mal_ursnif.yml.tmpMD5=F254E3120E3576C55FE2BF6DF0013044,SHA256=94C1B5978711A09388EB18D453384A27E73FFABBCDF129C99568BBBE4EB52450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.740{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_sysinternals_sdelete_registry_keys.yml.tmpMD5=58A968B66C8F4CEA552E2FB5D9624E4C,SHA256=A215B29D7807032431B4A13097090B62495FE9EB8871A713DD470C025AB00F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.738{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_persistence_key_linking.yml.tmpMD5=CD27E7947B56CEBF264E8DD95E0FAB62,SHA256=97FE310992EE67CC213A9BCE888BA37C89193304F1FF11244C7A78AF59ED3A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.737{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_amsi_providers_persistence.yml.tmpMD5=73AD87AC9C3397C812EFE2B8DF19BA55,SHA256=CBCB35A494D4EE7432F372F274E531FCE43E92F1403A297BF6C0E05CD3B8270B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.736{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_mal_netwire.yml.tmpMD5=6D89BAD29AD95C10257BBDF535B47E5C,SHA256=9BA51E506092C49E446FE565889923C69DC5119D11AB8DCC476FC4E5A3314EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.733{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_susp_sysinternals_eula_accepted.yml.tmpMD5=F7032CF632FE5BDA70420661D9AD040F,SHA256=86E3FC3C8FB750FCC13A2120D44064249CF929C8237C055F43BDB86A8C88EB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.732{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_renamed_sysinternals_eula_accepted.yml.tmpMD5=74E9CF6F2EAC73851A076BBF164376FA,SHA256=C38978A0439BC8226FBBB5314DFBDCB12FC6C4E83655A1D1ADCE5E13DD18A323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.731{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_logon_scripts_userinitmprlogonscript_reg.yml.tmpMD5=5AA4B7F9980ED73BAB89C36B97163DF7,SHA256=8EEFA782C5F1233F0081880513E57CD40CE7E830CDBD0A9B79E19319D86187E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.729{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_atbroker_change.yml.tmpMD5=41351BC7A105C8F2683B8E61EE5F5ECF,SHA256=8DCB1C4BE99F4C6D07AC124A32FEA7919F2AA030E0F3FF4EC40886C8FA80B780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.727{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mal_flowcloud.yml.tmpMD5=1661D0D543627ECE085E8B8D745D7F77,SHA256=0F81706BB1C23AF688AA7771A1DA203DE65C7DC72A1359F2EFE0B38152938207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.724{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_runkey_winekey.yml.tmpMD5=9700660E06BCE4EB7A9C30810F19C516,SHA256=322EE02C7B4FB91196541D19DC406C0668A63C0C1DE632EB9CC3020F14557166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.722{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_office_test_regadd.yml.tmpMD5=E967E33FBACA4692B1EED16FF1DC0850,SHA256=AFF8C85D18E66F5A6155C6107C6444FF7BD6E2BF608FC59B1B83DB3BE8020DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.720{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_disable_security_events_logging_adding_reg_key_minint.yml.tmpMD5=23CCF8AA3CCB76F4D7F4BE166DD5C01D,SHA256=AD3F522EC551136219CBDBBB97CA8F4F4A80137A966CAD09BEA31276AC3ECE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.718{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_esentutl_volume_shadow_copy_service_keys.yml.tmpMD5=F972126DB6FD11BAE94F7A183FBBD1DD,SHA256=414F60495FDC3CA11157E5ED396D8D488619E7C07907D1F2186D5990A89AD737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.716{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_modify_screensaver_binary_path.yml.tmpMD5=52D7E47B1F90741E36C1BEE038C9CEE1,SHA256=59C61D659CEF889208F801E99317216B6A8320454233D216C50E83345F41FDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.713{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_bypass_via_wsreset.yml.tmpMD5=61B61316F4F8C5A14F023BBB03252094,SHA256=72CEA69E6B3F4BE8961B3C75E9C080BB88BF28AA7F1FBB06912ACB4956859055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.711{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_redmimicry_winnti_reg.yml.tmpMD5=71AE2E9D0FA3D352ABE365BCAC2A6681,SHA256=B99AAF01C5CE5A4ADD8A2884CDFD0C8EC6F37CDCD3E6504F4C8C94BAC9A3949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.709{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_download_run_key.yml.tmpMD5=D66593E0A10A99059CD3125030167AAB,SHA256=511FF3F33CDBFB9B227FE79594EDF3874C85AEBDB3F64DADB2B12154CFBF0586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.707{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_chafer_mar18.yml.tmpMD5=61C90639B31641E0299DF5B3B5072D13,SHA256=EAAB80B5656B016A00F904D48C94B9116DCDEBB1D7AC158E55F6B9C30C7F331A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.705{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_new_dll_added_to_appcertdlls_registry_key.yml.tmpMD5=2E83D7FBF72AF813CF4D5551521E0FEF,SHA256=94C736F2A4CE07D96E9FAB47329E79841DA195B8159B0FDAC19FC5A1E630C9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.704{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_silentprocessexit_lsass.yml.tmpMD5=7AB849876A29FA19F5337903C8753BEF,SHA256=908631102B5343DC7B214F9BA2DC2F5C729E759583BF9E9841DEFD5BEE33845A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.702{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_trust_record_modification.yml.tmpMD5=09342449713704658A7E7C148112DD04,SHA256=C1B3B143E90296FEB5B4902E68B11507651AEAD754BEE45CF4E086CEEE5ECDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.700{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_cmstp_execution_by_registry.yml.tmpMD5=E1715672F98FD3919E0DF316210878FE,SHA256=F5E8DC50E742AB6DDE74E991378DD63D4A850E6D161B3B0FEB2B55C08A928FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.698{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_net_ntlm_downgrade.yml.tmpMD5=2C203BDBCD61AE3F1E35114D2B965575,SHA256=D6AAAD4CF15F9E05C57735BC9C6DBCADD603D4F4C1C6EC3C08B880E65A597623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.696{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_stickykey_like_backdoor.yml.tmpMD5=751041CB31D6744415E06F6F8BCE5606,SHA256=1117DD3A0C01063635A936A227F828E7E3C5192450DDE75369DF9E951B352A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.695{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_pandemic.yml.tmpMD5=2C42BDF2FDA18D2E5AFE77495B7808BD,SHA256=638DCC482FCBB8554961CED3FA34FDED2C3AC6F4F6D9A68A4C734715B65D5EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.690{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mal_azorult.yml.tmpMD5=CDC4A891FDC53536D9AD34CFF656E857,SHA256=52D311134158D68A8DBA7F718903CA2F55DD19BD6E09E3C79C63D3549BBF4B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.685{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_persistence_recycle_bin.yml.tmpMD5=E14B4A74AFF26F41A3B39D2081133FE4,SHA256=FDAD6C6DEA4A35E08C06AB73C4B2677CD5561DC792C716DF6C29C90587499D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.684{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_shell_open_keys_manipulation.yml.tmpMD5=38F6290E391EE514BD3D6839C78E817F,SHA256=E0445FA4FC9C0647E7DAEDBAE8AA35C96615E897568CA0E5CFFA8018E2959EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.680{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_hybridconnectionmgr_svc_installation.yml.tmpMD5=B83770C68176693681F8194727284906,SHA256=8792EA4EBD737B8A5A9A2F57D55199A9794ACDB791363AC5CB16499499471D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.679{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_new_dll_added_to_appinit_dlls_registry_key.yml.tmpMD5=8E9E688FBABFC5575C0FD6655DA70F94,SHA256=A433132F63E7BDE9A9E9C5CC3FAEFEE234499C9CA0AB0F1DA2E41AFFE71C43D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.676{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_portproxy_registry_key.yml.tmpMD5=C392788DB05B3E22A6AF7FA9826AA5E6,SHA256=C728CBE73F176D2F6370E1AC63A309E5BA16B9B1C9272256B0E63AB65282190F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.674{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_mic_cam_access.yml.tmpMD5=36BB422E2427143335B4639D3654F433,SHA256=0E4CF443570FA1D3740C718BFBAE628A43182432BC19212C8F8775B585E0DFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.672{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_disable_wdigest_credential_guard.yml.tmpMD5=112380A875C157EEDBD9641541CF7CC9,SHA256=1D7F0B458A29F12A6BF87BD08E21E5E95C2CE1080A3AFF311A8247954B0288C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.670{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_narrator_feedback_persistance.yml.tmpMD5=1D954EC9F9E75490984DBD2F783A0789,SHA256=E5D0564985FFC7E9FD7B554BECC1EBA73B4E662F697CF0DE51F43397C65CA068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.667{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_oceanlotus_registry.yml.tmpMD5=627A66F9D3F7180FFE15EE5E7FE3FB06,SHA256=543252F6E3E5FEBE1B85E98CF73028E435497A256869DC9FB8D5FFA2D54143E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.662{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_runonce_persistence.yml.tmpMD5=096E44DF520435DB7C352E5758D4EFB0,SHA256=EE1D0F96ABB18DC8B4D4F21CF43CA2153D76C3F41C8191DC1245342DC3A057A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.659{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mimikatz_printernightmare.yml.tmpMD5=122D91FA69BB91047FC5DB6B9CBD29A9,SHA256=F5348C2AE48D9CB596C93AC15E5EF3DA0D54B5671C32216D1CB2906AF7EFEEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.658{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_hack_wce_reg.yml.tmpMD5=8FBA02F07242E17808F6D059DA38AE3E,SHA256=CF67D0BD65E958DC467A1C3AD18CFF8003BD8A7C01132BC6762B26E4E224D31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.656{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_ssp_added_lsa_config.yml.tmpMD5=A3FFDD280EA8304613FC060D172DE1BE,SHA256=8EE603CD97BBE41DADA903C6B5769E5DF8C1E2A58A1F7B255B24F55B02B80CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.654{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_add_local_hidden_user.yml.tmpMD5=DB70052DC884CAC63CAB0F70F8773879,SHA256=AC0F60EC6031BC68EAA93BB24E9A58F094FAD09AA68C6BC9D83126A33C8B66BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.654{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_lsass_dll_load.yml.tmpMD5=B93008FB84A4C62F68FF8B5BB444E51D,SHA256=17E211D9F1779A9F614984184C10E5A632D0D37F2B16DDF6A4409DFF8B607919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.652{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_leviathan.yml.tmpMD5=71A1191691E576383C6CF21C62EF960F,SHA256=E54CC36AFE69077434A7DA8925D131F0C12C9F62359F143F1C2B2A7C96EB466E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.651{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_suppress_defender_notifications.yml.tmpMD5=20AC2C8675C14A6B39CCD7B16F745CB4,SHA256=1E51A9562378EB922371E47A8412D5295C00E829A1CD78AFA16CC9CA1C7DABE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.649{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_creation_service_susp_folder.yml.tmpMD5=1915466E35007AEE1273E437D3031D9F,SHA256=8E4DC6151BF32165A320FBF2E62A6A18EC70CCDC5084E23EF291976747F5F73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.646{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mal_adwind.yml.tmpMD5=E553414330650DFFCFB6B6D94F410036,SHA256=3D12F09D969A9096CE5C6F927736AA47A0B0F72A2D0FFF152AAEDED6B200421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.644{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_appx_debugger.yml.tmpMD5=03068A58B299D50290AFBAE5CD698D30,SHA256=BC905A382E054C534BA45E49CC328FE3A2E284DA7F8D68E2F9621832D33405E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.641{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentversion.yml.tmpMD5=790AFEC7F097E41769543A1D7D24BC3B,SHA256=60636934667709AF1E4FB5051963BD6EE55341430CE9C9DA7B2E5612270D1995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.641{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDA826FD34011AA113B075861FD38BD,SHA256=93A8B1DAFB0C6E90E4BB0C0F551F07488FCFD1DE94D9580D36C0DA6729E48A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.639{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_comhijack_sdclt.yml.tmpMD5=0507997CB4079B8CD67C68667AA6C7F7,SHA256=F1B11EB723C7115B09EA1C5BC98A3154AE4A7CD5A6107F58C6EC5D4704A9CD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.637{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_winevt_channelaccess.yml.tmpMD5=667E83D1DD3902DB36A94B3A4EED6DCA,SHA256=13BB118C80B594F3628EE21107DCE9BD48AB823AA4B479ECAE0B7D7C56A52622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.635{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_timeproviders_dllname.yml.tmpMD5=C2C9FB7614F3D27DE10F5148F72B3F49,SHA256=DC576BC01C82C042F40C89A7718EE7AA7469074A718487227FFEE76A62A03908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.634{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_servicedll_hijack.yml.tmpMD5=4DA84A3D532A156B0FCC14591B458228,SHA256=938FCB83C09DC014E5174CD6471C5F6EDD1F77DB2F046AFE66CD79BF729CE311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.632{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_fax_change_service_user.yml.tmpMD5=0990327ADAF6AC8EB5DCEDD4406EB8C2,SHA256=ADF300F3D3AE1D9D04BA733B6E921791E23498391F29ED1F35102064C115EE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.629{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_file.yml.tmpMD5=33EF0F57065528783957CA5A6C33B879,SHA256=4D2AF642C88E78B1EA51746B99F1710B5178A50AE88EAA912A66279490D0AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.625{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml.tmpMD5=923770F22CC0FE4A73E4057CDBBB0DB9,SHA256=C5D451878A4B8E10806ADB0C1E7E2353C9EE2802CED24F3AB4AE452B7986479D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.624{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_keyboard_layout_load.yml.tmpMD5=9DF6689B9B1411E88CF19C5C8E73CE67,SHA256=6B2D2B1C8C40A8F924A48C2A52E7E19A03C1D7380D3E0FDB357940179BB84A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.622{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_security.yml.tmpMD5=C0139BE7C107D3DC18FC9CB420684985,SHA256=42CC0010239236D4A91DAEA4E15065B5127AA7FA34A13D02AB71E6D4234BDDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.620{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_system_scripts.yml.tmpMD5=75151756795A634B6E7222429A7708AD,SHA256=2C8C5F7CC27A25E346BCE1E567E1029DF8119FE2C43FD17CC894B64D2B4F710A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.618{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hidden_extention.yml.tmpMD5=6361DCB8F59B79BD80202A8A78730447,SHA256=1DA12F0D3284AAE65B6916BF140C1600E36DEDB75A0D315EE0A0F2FA39F7920D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.617{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_function_user.yml.tmpMD5=2A352F6A2BA63BA26126F7A48BA96DDB,SHA256=C179E3AD0E5259E67B3C0FD51E29341119487473FD1A7BC0A545F8AE7837C95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.612{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_register_custom_protocol_handler.yml.tmpMD5=C62682005A805100CAE641DA71A76119,SHA256=0ABBFEE543F9C1DD5A9B2EE5E50533488551D790484C0B0136A4CB18DF7D5C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.607{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_pua_protection_on_microsoft_defender.yml.tmpMD5=568141CB077C3CAC416782FA8BEA8558,SHA256=0222F2F16DF77ADAD44B03E717FBCBD9A61A3A5BCF5CC9B45F03155C2F91CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.605{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dhcp_calloutdll.yml.tmpMD5=F5D687D36F4A41F65FCD0E4AF5B6CE69,SHA256=B4A84347138AC6E036FC7F61DCF3E9F5DC97035993B0619E8D56B8D40A463848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.604{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_registry_todaypage.yml.tmpMD5=B78CD768CB6821DC6C7563FE348E7490,SHA256=60CFA92D4B4ADD91EF07581D0E4B22C51FF601E718799504866B5056D9A258FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.600{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_tamper_protection_on_microsoft_defender.yml.tmpMD5=98A80FA51B7E44BFEF75D0130BCD04C0,SHA256=49ED969464DE2BEC4CE1A6891696B9DFBB69869B035D9ED69A3B37C621CADF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.598{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_enable_dde.yml.tmpMD5=2FE79A7DF80D30879A69BD6BF142DAB1,SHA256=54D6F630B3214CCBAB092BD713897C9FCA4FF9057C3E54988B8FA542CF9F3CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.597{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_registry_webview.yml.tmpMD5=F82B176113E4CFAB35143FBBDDA73E3A,SHA256=154BCEB62A39DF5119964135DB993451125AA88E13B3F1AEAD358D6E52880508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.592{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_file_association_exefile.yml.tmpMD5=3A983F3C67A5EFA68E9E345DFFFFA88D,SHA256=912E7ECAD4D5787C0C281080B2971DAA5EA05342C187B28437CE86EF69E8BA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.588{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2022_30190_msdt_follina.yml.tmpMD5=CAD99B3BF2DE2712F286B8DCA734E8C9,SHA256=2E90E5FBD8684C77DC87FFE645E8E9502C7FDEE9DB5965D54CB13110C41BA6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.586{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_sip_persistence.yml.tmpMD5=336030BB68FDFAE6CCA12C51CD752BE8,SHA256=0670A7E45CE3B5B413AF88D3D48756C138E341DA49AAF8C84A6AB46529E3228C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.575{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B9C728125085F67012C6E4C98DA7E4,SHA256=27500F9CB46E3179A3ECD38B8AA5B48FCFC9DA9176D365487335A933426059D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.575{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_rdp_port.yml.tmpMD5=59A80E04874769817E3C677B59F9A756,SHA256=67E04F9881D7633C36BB42485BCAC56C196BEBB3EC945376B93B510EB304D34F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000750082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.025{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58715- 354300x8000000000000000750081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.023{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61081- 354300x8000000000000000750080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:53.969{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52362- 23542300x8000000000000000750079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.267{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_com_hijacking_susp_locations.yml.tmpMD5=A052779973EF1ABD50E66D21D12D9EE1,SHA256=F7F9EECAAE2673DCE0A845F8F766FA8F34DF3E67F4EC254201FD09EBBE29BD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.265{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_as_service.yml.tmpMD5=0090BBD88D61998E764E59C2251D1597,SHA256=72B3DCB54BAB5BCFF0AF2ED0B61EF186811DCD10526C36639C35C931F50352A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.264{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_lsa_extension_persistence.yml.tmpMD5=0AED70ED8E6A1D06BF95BD64921C5838,SHA256=6954EED0C7A2488E8F70C70027B1ECB35064DB69136A9FA8D364532F52D58A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.260{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_fax_dll_persistance.yml.tmpMD5=CD6DCBBD7F33A99C7E599E9C05239D4B,SHA256=0F7FB66D9DA7684BC141F81869D9534BA87EEF104607BD78C481B999B7637CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.258{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_set_nopolicies_user.yml.tmpMD5=8E69D778330751621CD1A0F3C4D9FAA4,SHA256=98864F3EF9861E9D7E89AAAFEBE0E732643CBF6E2786FB1B120A02CADC8A5CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.257{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_winlogon_notify_key.yml.tmpMD5=62844F559E8DCDCAC74E73760CB645CC,SHA256=F2DC53C4B159040253802E59D719CC992DDFB5247B946FE4AB88B79A242B3A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.253{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_function_user.yml.tmpMD5=3AFFB8E428AE8DDAA3B7313DC157A217,SHA256=9705F373AF9E0A92E2B584C3D26C3136FE7B59F9F9F564F644D1E1995E32433D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.251{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disallowrun_execution.yml.tmpMD5=C1751F5CECDA423309A5732A85492327,SHA256=383EC78912A4B12E8B495E75FAA8F6408EBC4988DDB3D1257667E71F68E1EBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.250{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node_classes.yml.tmpMD5=17DF1A6E8FC3B19EA1FB812119A89BFC,SHA256=F6E4EB20D8EA818CA9F60F2F9AB5690656579E79026693424716BC356458A234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.248{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_common.yml.tmpMD5=99ABC7FD64703872C4B5671C8700DC6D,SHA256=6F95A0AB65C1CD7EED1465483A65E232EE6FCA828C486BC46A37B8C3990ED22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.247{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_search_order.yml.tmpMD5=BE7873999370CEC9CE02F40AA79F5B61,SHA256=36379013E77AE85F61DEFB0A08E79DB14A2D9AC6E746EB01B078F798347E5D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.243{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_port_monitor.yml.tmpMD5=7C069D3980DFE1F1994A1AFA1FA11C39,SHA256=458282945547DB3B6198289950CA92F5741F7FF6343F1BC8197ED66499B2BCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.240{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_windows_defender_tamper.yml.tmpMD5=12C07B2EB561679100C3907EB3ACEA6D,SHA256=0D4D2F411AEC2A450265D39B2AF0A8017B7847E284666F1397CBA6E04C3372AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.239{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_aedebug_persistence.yml.tmpMD5=40B4A943AB81C8F74B714ACB1B3D329C,SHA256=2FE594FC10501762CBE330EDAE4548030596A69D377A82CE34B73C72327659D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.237{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_ie_persistence.yml.tmpMD5=17D166D91914DB973D8CAEFC9944A769,SHA256=047A0567CBA01A99B0322993772347B4FFCCFBC337E10FBC27F04BEBE2EEE995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.235{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_autologger_sessions.yml.tmpMD5=7F5EE690DB5BCDB04321C741676C901C,SHA256=5FCB7BEDED67053D68F6AE6F3979A3144E0326CC94D46AFDF6CEA2C51A4A95E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.234{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_policies_associations_tamper.yml.tmpMD5=73A123458C4303915352BA686D5A465F,SHA256=2D247EFD2741B73925BC48ABBABA0C58E1F7A08A2C916046CB5CDC1C30AD29D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.232{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_office.yml.tmpMD5=EF718226FC61096C3B1AE507E9AE1F42,SHA256=4F0B45E8F2320E5B2E9084DEA856B4F3FD0A005C28EE747AA226575A977BE674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.230{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_windows_defender_service.yml.tmpMD5=488F738041EA90E43C9CE41F8C8DB8FA,SHA256=0045E24B509998595DC80C27BE291AE2DAFDAFA7655390E3EE8A96225C6443D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.225{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_hidden_user.yml.tmpMD5=3500EDD965834C4F0320A10D0EDE4D60,SHA256=9FD32C4E2B8B42ED046B945CC1759F00C43BE03BC5D0E3BD540D72AECB74E8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.224{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dns_serverlevelplugindll.yml.tmpMD5=733C431F801AD6F93551986E4839D6BB,SHA256=42AD266A0EC34E64597806880891232D49F36B7D26776A69E4F05D457B03FA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.222{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_enabling_cor_profiler_env_variables.yml.tmpMD5=25804FAE5E31CC5D91582927E6BFA2A0,SHA256=92833F3F2F1F777C6C44A91CABD6016B3282941ECCF66DDFC95D4C17FF06627F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.220{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_defender_exclusions.yml.tmpMD5=5BC0148472B616898627320E0F707E15,SHA256=5454CC17C918B0EEBF5F729D977D176A5DA9E08FBA347ADA91C06ACD673CEBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.218{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_wmp.yml.tmpMD5=4CABC1366B08FCCD8166A0BB114F054D,SHA256=6FF25842B3CC82631DCCC05F2B7915483BE0F8D5E01A1A00342F4DDA82A2F905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.215{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_c2_registry_key.yml.tmpMD5=3454480FB1C6161EBB21B897235254E6,SHA256=A4F07227EF95597771F3125B47B369C18DB4E218ACD8DBDC8E42B5E036636E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.214{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_security_center_notifications.yml.tmpMD5=9D0DE913D0202949D5EAD1338A9E3B18,SHA256=0AF7EE172CED596F823DF4CD859AE94E603F4B7A116B275CAB96507AA7EACFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.211{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_session_manager.yml.tmpMD5=789729014ABCF39DAF5EA76F1D5221AF,SHA256=E011D6B8045BA7C75040F7CCE939C7619E29AFB4C397EA788C0306AD77CBA75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.206{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_eventvwr.yml.tmpMD5=7BB77257713C592B7793BAB459887AC6,SHA256=DD4A1C2909C48DA432CE2FD245CE9BB652D1F134B65C172809533D5606BC1B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.204{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2021_31979_cve_2021_33771_exploits.yml.tmpMD5=9F9A45F38728283F819B86E6422E4BBE,SHA256=9A2D0D1489E542F192A91305407FA54E9EC0A15825FE692D254BF93C447F139B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.203{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_creation_service_uncommon_folder.yml.tmpMD5=43AB800281F74BE794D8723BDBD7F233,SHA256=C16AD1BC544D791B4872CECDB3A83D503A89BD3637AED7483FCFF6F61F9B2B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.202{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_custom_file_open_handler_powershell_execution.yml.tmpMD5=74E1EF6D4177EB14760AA87E210B20D9,SHA256=D2CB2A14869B2008649CD81ED3F77D3A09A7AF310E88C439844F69D909FD6BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.198{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hangs_debugger_persistence.yml.tmpMD5=8BA91D7BEC24BF80E120CD02AC2E3743,SHA256=25C1F84DB11E218618EF58AB36B99572D2AEBCD22DCB329FB6D9857BB0A7920D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.196{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_globalflags_persistence.yml.tmpMD5=C2B7A06842DCB95B0E97B160AB273FFB,SHA256=348237611C5D0E4560B737C5DA79A2C80E8DF4DE73AD9070E6634A92E5A9ED55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.194{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_microsoft_office_security_features.yml.tmpMD5=AE735432478E5888C0066DAF99ED5A83,SHA256=10C386A062302C055D0416C93548CB9DC9B46F2F373EFA55AF27138A706555BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.193{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentversion_nt.yml.tmpMD5=C025C451BF6FA1C028C93535C4856886,SHA256=FCAE34BC0E2A2FC3E09806D0BB32F5C92BC7BBE5D291FB1D89CC31173E65F9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.191{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_enabling_turnoffcheck.yml.tmpMD5=AD447EEBAD601E8FF5772A43A003E947,SHA256=BAF7CC3D1B419F94F396017AB27D4FE210A960A3F38ED5DA7A4497AD3FD44E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.189{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_treatas_persistence.yml.tmpMD5=23A7ED772C88EF269F95077062AED6E1,SHA256=A8C29718B8DCF39532D505815432392A6A11F0DB5C220F86836C471953B33075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.184{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_silentprocessexit.yml.tmpMD5=A85957EDCD4987219653E57F823C269A,SHA256=0EF516A7EF3CF3D629C514D219BBFFCD818CDBD6C9E305DE72FB566CCA1C5E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.180{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_policies_attachments_tamper.yml.tmpMD5=CCF8E4B0180C4A6F1EB2B49969665DB6,SHA256=B7B66E1A53278CBF059C9D9CBE4535EE61EE3383AFA30552541ACEC6B0931B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.176{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_sdclt.yml.tmpMD5=A113CAD0163F5A889F9FB234708BB929,SHA256=BA2FB5F21241F727622A8C63A031A08CF706DED33DBD16321FC8AA12BCE3ABB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.173{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_special_accounts.yml.tmpMD5=9FE0D9FBA950005E0684945D7FAD6520,SHA256=6F8E249D141850B81082D382DF05EF6BB6073BCF88AA7DD79A6D7591D2CE70E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.172{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_windows_firewall.yml.tmpMD5=3D340A05A0A115306185A659B38283B6,SHA256=3D8F6023456F66B82F8A615FC17636CEB7E4FC2ECD88EB2BB23390D6DCBD634C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.169{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml.tmpMD5=4C6C9DC6C8C4875D1A5E1CB45A719555,SHA256=0F81C831284DC934607FCB60788373926939602BB3FDC8F7E7CF9BB0466D4E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.168{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_app_paths_persistence.yml.tmpMD5=8FAAC281042C5679AE1370290FDB712B,SHA256=5C2892E6980EC4EC25C128D97B03BE1A7F8B3DBD94DAD5F7EF3A63B20233B903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.166{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_ifilter_persistence.yml.tmpMD5=85C3128F756B00451984A4B46331ED15,SHA256=3126DF6885B74C5993C4818BA7D4548E860C353E007563C8DD1C09D8F605A8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.165{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_wdigest_enable_uselogoncredential.yml.tmpMD5=DD2FD96E0DC229DFF5481F6988DC929E,SHA256=FE7C95AA6FBDBC24B0AD9513D5226ADB7E40EB3D5F3353D2615C54DE4A613515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.163{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_terminal_server_tampering.yml.tmpMD5=A5D4EE8632C6DFDAD6DE14A1E3C7FA06,SHA256=11E2006E868F7FA336F3E527B15EBC47E3B24630B27E4075F969A9E764935DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.162{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_load_service_in_safe_mode.yml.tmpMD5=66855FEE1F0FFB2660A2DDD664748F1F,SHA256=058A004BEFBFCF9A77CD2E2FE8A204F78A5E9D67933DD05D2F121504250A1F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.160{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_winsock2.yml.tmpMD5=EE635ABCB71340F1A67E0EAEDA2787F5,SHA256=AF204FA4ED841E8811C98DA441C0CF00F90296CEADF084D75B1598D2E55D79DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.158{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_run_key_img_folder.yml.tmpMD5=E366C2A3FFBC2798AFCD796CA1151F1E,SHA256=DB236E4DE5700577667CB0AEE5DC9DE0FF14AB080A59D0B83E000FA088A230DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.157{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_sysmon_driver_altitude.yml.tmpMD5=684B5BF73267263ACBF2132680079BFD,SHA256=0A4077911FF7431BC85D005D452A9666688740CBFC1567CBCC33328D1B1090FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.153{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_silentcleanup_task.yml.tmpMD5=300736BE005239C7A3F3E83DEA54A941,SHA256=FD42DED09D979CD99C4F20B81522B61F6C0C426F9FFE375842AB1319655A5E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.150{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_winlogon_allow_multiple_tssessions.yml.tmpMD5=FC4B4B9FE83C2905411544588C6506E4,SHA256=1B6108CE8573305F14F8CC566D999E07693FE8C710979F18CF2AC57178662303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.147{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43EBEBBD39724514DAFB7194B782654,SHA256=6206FBE84F5480F33BA41CC45C29B4167ECF743741DE7D3D6D7D19015CB88B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.147{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_typed_paths.yml.tmpMD5=A18781EBDFA33E5412FF585FDDCB57DD,SHA256=F5E8CF46A1465FA381440BF2C13A95CCDE3E8E8F1EF89A604FCB20E6C5683DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.143{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_mycomputer.yml.tmpMD5=B41CAD785694BA96F841E3505CFF70E1,SHA256=5E6A2F9576BF96035297183C197826A81D7AD9E9CB436464E21FDE58D2BFBB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.142{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mal_blue_mockingbird.yml.tmpMD5=09A9EBFD32CBCA0B6335005924B34264,SHA256=ECECD7D49EBAB710ED8B6360595F7FF4DA5EDD76AA23A469912235A2F4CCB70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.141{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disk_cleanup_handler_autorun_persistence.yml.tmpMD5=74E759366965256C2A00868210A1D2EE,SHA256=FDD6401CBE4E614394DA2C8D590A982031E43C889B6AE658ED212542E7EBF451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.139{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_winevt_logging.yml.tmpMD5=6B2A0D584CDED5A508824A36855888F3,SHA256=317F5944E7DC56966270ACAE6B61958B2F6867B3B073A2E3EB42722BE498094B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.138{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_winsat.yml.tmpMD5=2CE0CDECFFE39674AA3D2F23974D4690,SHA256=124059494123048C4B6D2E7E5B02457CC1947BCF06402314205A570A9B67190A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.136{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_etw_disabled.yml.tmpMD5=C630713F7567005279EE4EBE6CEAC6F5,SHA256=95FAD813FF3E2D1A6E3996CF59A77638885E2CE7C3E98014DAA4691D23550732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.134{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_internet_explorer.yml.tmpMD5=D76C3931C328F54C5F0D0A135EA45FAC,SHA256=841BF45A937EDB4D13CE6D9566EA0594A37202FD21FFB4CEEFEAD0E5052F0E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.132{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_user_shell_folders.yml.tmpMD5=0D4FEC9EDAD74F6608049F14D0488307,SHA256=E1F8DD156634BCDFE372D36EC607AF68E765AD8C149D5BFAB15D828BC446DA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.131{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_terminal_server_suspicious.yml.tmpMD5=03BDC887B2848F675F6AF36B21CA346A,SHA256=B1840F1762087B182F254361A21E916E57BB9023C079764C61CC809F05F988C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.127{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_abusing_windows_telemetry_for_persistence.yml.tmpMD5=23D6846FBD653F66A1F9DD37BB088DD8,SHA256=4BBE28723CEA89404A5DCB59ACE4C7196950407451D0FFAEBB7C36935284A6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.126{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_printer_driver.yml.tmpMD5=DF3C7C6B399A80959DF35B17DC7D27AC,SHA256=754E0FE76989354FC56D9D8F1B49D5F6F46D8BE89631776C0438CDE75DF51E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.125{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_autodial_dll.yml.tmpMD5=497FD9F64582E5576E2E62C1F3025D56,SHA256=D31B5F88667CC29F27AC325C9328E3692FB4CF54BF91BBAB981651379E316F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.123{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hhctrl_persistence.yml.tmpMD5=6945582A6BB79F60E0633AB870D07350,SHA256=6885AE9E109DA595FCE142966B58AD8F26B6610749FBA03C2E95E8B58F085743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.119{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_microsoft_defender_eventlog.yml.tmpMD5=2711DE8306A806FDDCCA7FCE3A15F11D,SHA256=D01499216E3AF28874D8CF5AD311CB2A7A475AA59087C8B563CE5689FA3BDA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.118{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_eventviewer.yml.tmpMD5=21DD94F155586E213C00DD7DE17CD213,SHA256=06AD3E5C99F8C6844C6A6F7B551FBCC5DBC6E2CED19715F5B77D1F147D01E681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.116{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_install_root_or_ca_certificat.yml.tmpMD5=414856B1B5CED518F81E1ECD9966CB4B,SHA256=68C3136C0AEAB8F0AFFDCBE55564902D3555AA96816F80E74853559AFA236FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.114{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_classes.yml.tmpMD5=FF1DF34A46D616AFDBCA4252A2697FF1,SHA256=A2DBB11900A1D8BFB8AB321D7608B46AA78B9462879CEA52C0122FC2A29C9AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.113{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--regsitry_set_natural_language_persistence.yml.tmpMD5=462211D7C2ADF275D54A8B9E59083CAE,SHA256=FDA84129CB1C5090528AA46DF6A540D9B7B6EA46EC7E6F6844F922535A4C0B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.111{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_service_installed.yml.tmpMD5=F2F62D1D4E65AB7CBEB615429C9B8C87,SHA256=A5C5C2B5E9E427CD0C2DE9E89848DEA1A889EBEADF3487FACDD15F5285A18EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.111{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_scheduled_task_via_index_tamper.yml.tmpMD5=194AA0D127EC15EA46A9FB1AEFEDAFAA,SHA256=FD0B98537328942C426F6E3F4F5EAEDEFC98E6CAB4F3932AA2362AF1B9943EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.109{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_new_network_provider.yml.tmpMD5=65060EAAF961B693241DBC4D44FACA46,SHA256=E49D3AC816E23CF79651A9826F3E266F26FE7EC0D52117B005D5FB9FE9B15A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.108{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_taskcache_entry.yml.tmpMD5=1D81A944B2F7E99505FB64661BB55A12,SHA256=C11986D8B84001EA8AC8C5A3212B35278539E1BAB05E5BD34ADEA59DAE00F492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.107{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_vbs_payload_stored.yml.tmpMD5=1623E8DDCF63A1B6F9489BFC7BD23B2E,SHA256=73B6A32A13CB8A7C44EBF35A4994368ADE3BA2FDAD6FA4171D573193708F450E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.105{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_shim_databases_persistence.yml.tmpMD5=FD9E4634FC7F56FDB8C849A6F09873A0,SHA256=A8C39A67C84FF33ACB7AD383120B63508B683B55F074998DE14D17D5630C8DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.102{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_administrative_share.yml.tmpMD5=EF29C3D50482FE2E5A861FCE6A212D98,SHA256=2CA87E9FFA4E2EF8CFEE9B90A4EB29F1F91CD725ECAB27A6C1B6275B7A01CEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.101{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_scrobj_dll_persistence.yml.tmpMD5=41A242F8860548966E5F29772D5F4FA1,SHA256=BED1D5B2CF6D957AC1132C7A69E291A38ACC6847AE4E309AAA919B34B69387A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.096{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_privacy_settings_experience.yml.tmpMD5=87E0B0D296025BBF0B4A820895C8E2DC,SHA256=CA97C2EDD9D11AE5E5065E695123127005757ABDCD603C5F8C5877445C328D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.094{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_telemetry_persistence.yml.tmpMD5=754B09EB1E810FD7AA593AE408FDB47C,SHA256=742779FCA60C5B599F6FFFF4ADE9B9E2396AC9270A2A585FEE14210E754B10BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.092{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_renamed_sysinternals_eula_accepted.yml.tmpMD5=26A2F90FF719CF8FEA1CFFE26AAD720A,SHA256=9C68D2C29520702EA9C3D0B57D95BEBEDCB4282B84E538018229C52014701F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.091{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_uac_registry.yml.tmpMD5=BCD8C750567D7F18C05B2CA6D131A07F,SHA256=BFE85AAA37E992A29CEBA0A13769E8E2E857A6EF4968E5B61C7868031258B5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.084{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_delegateexecute.yml.tmpMD5=4CE04A4CC7F395DCAF4A1518BA8B81D7,SHA256=20D05EF635AFD02B80D6381CFF3782D4CC8666DB565B45C915E4E63D27EC8355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.081{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_lolbin_onedrivestandaloneupdater.yml.tmpMD5=E236B59BCEFB3FED48F950AC654CDA78,SHA256=411DC7C626EC1333B7CD96575D475CEB87905C2A51FF92F8FDFEE70AA3BAD597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.075{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_security.yml.tmpMD5=5AD75B8D28E60C831A01AD9BA47E9507,SHA256=342F7956344E56C3BADE349BF18399E37C080CB4309F59F8CCA45F125F5538EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.073{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dbgmanageddebugger_persistence.yml.tmpMD5=DE0C995A3A0F3F9C51B8971A5CCEA9D0,SHA256=3EED41994AAA7658EB6023EF6B669A7FC41285E89702980D9160A5BF2D3D3FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.069{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_vsto_persistence.yml.tmpMD5=F29C9C6A45B0DB096538107680410588,SHA256=0128EB7162DFCE284B745E37065479758E48A5FB7DBE81BE9E561F19EEA15D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.065{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_security_zones.yml.tmpMD5=44F0DC7A234A8534923C9B5CB4872F0E,SHA256=FB07FBF74CF3C68656E08DD496E6A55B29A812262345EC881BE53BF37280551E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.062{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_scr_file_executed_by_rundll32.yml.tmpMD5=00731A60E5134AA7E2B4E8CBA2A12E2E,SHA256=0E4B977CF7460ABFE8D392A08B2F92FE1F5AA8EBD15B08F7EC95753572F99EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.058{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_new_application_appcompat.yml.tmpMD5=2278CA2B753FF2B21DD07328DECBE4CA,SHA256=5D7696BFA1926D029DF35998AA4F48E40A6EC707236C8DDA2AAE56282F938832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.057{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_crashdump_disabled.yml.tmpMD5=1861AD37AE3CEB2F4C2FD35C388DC727,SHA256=8ECB1625FC9C70CB8ADF7725E8FC3896760C63B97390656D81A12E1ACDD63885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.055{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_defender_firewall.yml.tmpMD5=B0FDFFCE9E6166C354B60C627EF49287,SHA256=FDD5170FD6A26EF20B31ABDBF6D2135FE981A7AA032EE8EAFE8E3510ED72A3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.050{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_sophos_av_tamaper.yml.tmpMD5=BB826D8FA797382C95E7A56F5EADB377,SHA256=85A65F8A4AC5C2679911BD7562334C7373012C0EAF1C8DCAB415B3B7AA06ADE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.047{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentcontrolset.yml.tmpMD5=65CCE39EEF25AD5A2AFDD345F9D9449C,SHA256=952FB02E446C24D92586E117E26DC24613A42007A4A1556DD0A6E2D2B499CF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.046{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_system_restore.yml.tmpMD5=AAE4669CEBDC11D74FD36812283700AD,SHA256=F0DE43E6A4602BCD8EB3FC7B181CDBE835E73AE5FE5BC9CAE714ED22109E5EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.045{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_chm_persistence.yml.tmpMD5=E974F3F30358C73A3F319EB8DD3D67B6,SHA256=173DF59766BDE8F5B9249903166A57A7D889C527F2CBABB79B2DBC32DAE7840C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.044{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_chrome_extension.yml.tmpMD5=116FDDF9F2C84468FA351BC904C96647,SHA256=93BCE008430DA86568DB4422C50A4B01235FF1D71A5A41417C1E3E925A9B1C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.041{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_allow_rdp_remote_assistance_feature.yml.tmpMD5=BBB4BFED0D573A8579E44EBA32D33D27,SHA256=9385E86AE07C3A2A55C7C9F7C344366FCCFEAB5C6274550F93014A11EACBBB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.040{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cobaltstrike_service_installs.yml.tmpMD5=13DF7714930F20621AEC6B3F9DA54C93,SHA256=7DC5CDD0CF65B3624EA9BD4CA49640CA7EFB153817C81D560AD409DC9569A297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.037{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2020_1048_new_printer_port.yml.tmpMD5=078CDC9DF5DAC52A7DBAA706024EB698,SHA256=D991561C8A270613077A4998836E4558761CED96F963CE5A5AFF3D8EAA93605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.035{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mpnotify_persistence.yml.tmpMD5=53E908F84786C58E37E8A07A059389B9,SHA256=73C15DF52E40E4649A3B2B5FAB4642FEFD72141660DEDF63DB51B1B19C560228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.034{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_blackbyte_ransomware.yml.tmpMD5=0C8524E049AA767FBBC7A01393255701,SHA256=DD28DACA6C8291289D6D1DD90219551760BEAD847873B3E4957C39E118262402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.032{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dns_over_https_enabled.yml.tmpMD5=0CD0D17BA4EA07548C7528ECB2E0D3E1,SHA256=5C72B96F3E46C5C4DAF91797A9209BD4D816647C62F246215B9FAC9BC0E8F593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.026{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_logging_disabled.yml.tmpMD5=BC6AC6B720594658C7183D51DF70608D,SHA256=B45B7805F1CE3E2B690035F121687653DF49AD798A74287C6923585F3E181561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.024{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_exploit_guard_susp_allowed_apps.yml.tmpMD5=6848DB6C2A22BDD6087B45E57BB30FE2,SHA256=25B72C92C1DD7E8D6A63EF2AD4448F15DCDBA446C67875050161801E10B9636A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.022{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_reg_persist_explorer_run.yml.tmpMD5=0102E463760F99F60E6C4BEA79749E74,SHA256=C09586DDCD127DB0245D436CD351023A40A2129C259A2C4D3AE7654E45D622CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.021{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_in_run_keys.yml.tmpMD5=15B0DD0984C8A65BF0856BB76540135D,SHA256=DE13256A5D7CD70F8B17EF2738D208A2196C986E8A1D70C4E7C1F2375BF3E00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.019{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_wab_dllpath_reg_change.yml.tmpMD5=F5A37A0C6188CFD822FE3E2779599B69,SHA256=799AEB3EC37A4FE06CF40AB15BD21EDBEBFB8FE1CB7B19B98658AB68E7837F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.013{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node.yml.tmpMD5=5FD5FFC8B2E1B0F3E265E3CF4ADBED96,SHA256=D5A2A800E0983E30ACDE70FAEE43DF669D2A45950D4BAA1BC70B16B355DE0D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.008{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529088F1286DEF31B96E658890BA1279,SHA256=40594F8A38681ABED524DBF4C658CCC7BC5A67DD475CC81D8D1F5EE8C98E83E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.008{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_ttdinjec.yml.tmpMD5=A16C460D20D856C189D38B3C73DD82B1,SHA256=2A85DF072C48A051FA4EDE906962B882DF064AA9C61EB5BA9390BAD7B64A80D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.006{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_remote_thread_target.yml.tmpMD5=BA242D229B78917DE07EA901313CD981,SHA256=8E98314251B266580618F84325E030B2993594EBAD1B101DE136DCD9E229EDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.005{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_powershell_rundll32.yml.tmpMD5=B0DFD36E589F88F7CF04C29E892B88DB,SHA256=49876847BCA6F686CA14CB8F27F88BD23CA42FBB6068878088EB7E250A71D8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.003{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_bumblebee.yml.tmpMD5=472DA09696C10A628FC10B95980CA47C,SHA256=86F4B9F885D474473688B91E383DBA47FB28C053CB545A3E4460083CD858E929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.002{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_remote_thread_source.yml.tmpMD5=05461293D64014720B13B0176B9787BC,SHA256=D5A369D5985DA225E29EBBF50A19AF2440FABE91F74323986E8CB4D75ABF7A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:54.999{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_targets.yml.tmpMD5=2B482D0B62B1552D758DC822476FD7D6,SHA256=F267D5A23152F9114BE0A3ABDF6CCC26A5C05DAD7114AF073BBF399260738D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.968{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.967{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.967{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.967{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.955{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.955{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.949{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.946{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.931{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.867{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.866{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.865{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.865{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.856{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.856{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.241{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000518016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:54.966{5C0BDE06-1A79-634D-1800-000000008502}1756WIN-HOST-CTUS-A0::ffff:10.0.1.15;C:\Windows\System32\spoolsv.exe 10341000x8000000000000000518015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A77-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.057{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5C0BDE06-1A78-634D-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000518003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.052{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000750600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.821{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_smb_file_creation_admin_shares.yml.tmpMD5=86780F00179182CB6932D8B1EF66D645,SHA256=346C8AF3C96A2C08A7F9CAAF7DD6D5C40AC5CA80C2CCE8D66C96CCF65375918B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.711{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_local_anon_logon_created.yml.tmpMD5=F5AB6BD71F15EA9C07C5725A34F5E73E,SHA256=33B760D0060CE6253BF53A076E5BC590381C964B28FAF991321D48A2FFF56980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.709{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_win_shell_write_susp_directory.yml.tmpMD5=4405E8FA35DC1044607DE622BC94B845,SHA256=AC93D50730A7F12242B9D252F7EB486BDE44F3C21150D1698F8A45B8A79BBE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.706{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_quarkspw_filedump.yml.tmpMD5=1B30CB0980EFE093F5E0CD28314DD8B4,SHA256=80B8E47C248FC7DB4C7777BD10AB1467A19817FB22FCE51676500D9602F710CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.705{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_service_hacktools.yml.tmpMD5=7473C9F9A44164F578AFE1EA3EB3ECA9,SHA256=00691F924E35BCFBA7CE2C842A9D28E0DBA00736D532A4B0F5C472E3E6CF407A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.703{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_spool_drivers_color_drop.yml.tmpMD5=194E61F1972819E3E45870DA46750CC3,SHA256=F2C8F76586C0CF0566D7E983E6E9268A92E64581C44B350D754D38C5E181728F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.701{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_anydesk_service_installation.yml.tmpMD5=2E08853CFB158D67C914DBE2438E0A90,SHA256=4B700D1FEA09F992ADA2C25CE2F53E5CA9C927A1ADC0EF54E6300FC01F22952F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.699{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_logon_explicit_credentials.yml.tmpMD5=985C9CB1D08342D1A4EA2A7B8F26B4C2,SHA256=090F5118AE7A489A9DAD23199931FA4E551285B7A15D7A87E34F0B02529DF0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.698{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logon_source.yml.tmpMD5=1D3DC8CEB530B0A06B6CD363FA6677A4,SHA256=01AE39C06946BBB075C1AD1E8A48D7B346037AE80566FD279414BC06803C69B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.697{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_aadhealth_mon_agent_regkey_access.yml.tmpMD5=73926DF86DD50AED7CE9711172F22E64,SHA256=B1A85D18DEFF70CAF74A39DF80BFE38D452AB56D6EC9B8EF9D5B59DDE810743E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.696{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_rename\orig--file_rename_win_ransomware.yml.tmpMD5=70651C92C296A505F95DD4B76653012F,SHA256=11CCA892E3FBC0B60E76DC349A7310A0CD8FEC72621124B5AF4D9033FA80661C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.694{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_anydesk_artefact.yml.tmpMD5=5EAE1D260CD86C6D6181008788D1DB08,SHA256=9C0F45E11A30273872E0AC3C53CFB462E5469B8535ED760CC71A148653C8298C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.691{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_proceshacker.yml.tmpMD5=77BB3866F614252FF12327AE61624E21,SHA256=C3CEE85813FF97C4CB18A2007DAC1231C3BE9EDB22EFD9935EA711D188405EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.689{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source_kerberos.yml.tmpMD5=230CE5292617B7A817C3D401B4AC5C99,SHA256=8CE6C97407085F8B14ABC4F6B073E0F18F3ADE3CE8BD6491C48996E0C8A5C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.685{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=BAEE148FB99E817A4AD03CA62D73E588,SHA256=C75B41E4381430BB43C676FEF0BC1B761CC557C53D5B42CC019D7225780C629B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.683{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_remote_logons_single_source.yml.tmpMD5=6745BD6992469964D46DB9C307B20797,SHA256=C5EE2636BE7EE1685183973F69C130B8095C94924755219BC535B69134CE89F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.681{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_pcre_net_temp_file.yml.tmpMD5=59931395906D708D5F3703F5818EF668,SHA256=78C2335BD1CB4A078A2D781CDAA20C6CBFB4333970A3265C3936CFB9CCBC24BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.679{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_opened_encrypted_zip_filename.yml.tmpMD5=240F28AA64120893E50DECCD95C36759,SHA256=6FAA400370E970C5CE4B15092C84C5947C36B58A3B386F8BB4FDFC0A1656D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.678{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_global_catalog_enumeration.yml.tmpMD5=F0A52B1259BAECDB04DB197A658B18C8,SHA256=5F7B7CBB691CD146C5621F27CDCE6455729DEA15506A2D4239FB32E360321562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.676{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2021_26858_msexchange.yml.tmpMD5=F9AD750DA36225A0F807B823D3DE5EBC,SHA256=8E0DFEC0C8F6ACB0AF3E79865E9817F5B9A3BFDBA7C2BB96B7172EDA1453633D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.674{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_system_interactive_powershell.yml.tmpMD5=172922320C40E015606BEBD9F98E450C,SHA256=F489088A3DE3A0A6B865AA65B36973289BF009F8B5339448FF7EBB75A8DB8AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.672{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_writing_local_admin_share.yml.tmpMD5=084B06626FE8417BEA7D312AD4B38567,SHA256=243EF3B4406748706280E08EEE7DEEC17D515E1F8BAD952E4F245CBE9631C9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.671{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_sam_registry_hive_handle_request.yml.tmpMD5=0DF2E349764F46DAAB68A33780EBBAA6,SHA256=772F464E15B79000D3045D7E5AAC3348D1874659F4EBBF3D9F4C39110AE544B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.666{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_apt_wocao.yml.tmpMD5=437722CC3A1498099CAE2A26110F5706,SHA256=10722760585A3D369EE9C37BB6B95C5093744B775F49CC3A64DEF51BD7159F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.663{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_dll_sideloading_space_path.yml.tmpMD5=641D51743923988757FAB893900C9AA8,SHA256=820AA9C46A5215C97A9447AD38E60FF362E8C6851E8C9B5E1F75A0A6E2777E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.662{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_net_recon_activity.yml.tmpMD5=73518713E0D6DCB425FF3676935808EB,SHA256=B6BF953BDECB42B8F6D44F131DFBC7818148CFC48FDA2FC17E08A29F8A7ADD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.659{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_diagcab.yml.tmpMD5=1F1EA1DCAAA6844219CA21C900F710BF,SHA256=5CC48595D28939D846963C5B08870F5CF1ABDC70A1BFF92793D8C98792064C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.656{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_tap_driver_installation.yml.tmpMD5=5878077E3601D68FFD72A8514CEA2E92,SHA256=46F9AE792B0BF9600A39876A99777D0206F82EF8ADD62CA12D8A4C64221EDFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.652{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_lsass_dump.yml.tmpMD5=FF5603A00E5F8EF639FC9F5446666E66,SHA256=962013C46ED18D2533AC9F39A712F3B9A55C35049159A6275E99DE2C6447FD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.650{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_ldap_dataexchange.yml.tmpMD5=619176BA356AEC415EBB31C9A1608FA3,SHA256=1B8695F274A3DF6F54250CFECEB831DB88AD03BA07224B69F86FB1F0837F24FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.649{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_var_services_security.yml.tmpMD5=F07489238F65CF7904BAE4C977F6B586,SHA256=46BAAC51D4A8299E534CBA00BCD78CE6CE574A423919831F4BA9DC162EEE6209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.647{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_clip_services_security.yml.tmpMD5=BB7A55712B767BCF42A3014A4E86F661,SHA256=FDD6E781D792EF916BB000A989B826C6DCCB5A1C4356B8145DF143D6111F2DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.643{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_rundll_services_security.yml.tmpMD5=B24A8585467F6AD40C2B9D7F72BC7176,SHA256=3D533D85565BCB96BC33DE4623DAAC1FB748DC048AFC2847008BC0D94FB8CD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.628{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_exchange_webshell_drop_suspicious.yml.tmpMD5=7E11E450A750392229B0AF5FF8A5CB8C,SHA256=4349A85A95A8816DE3DDD3CBA564F9A72798549D3512FE23A9A42304D57FD823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.626{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_colorcpl.yml.tmpMD5=6DCC22052F044C5E7D646BC478AB8722,SHA256=AB7481F579B25F0303B13020ED4F7573138160396DA7EF3A34B73F4B7F8E1CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.623{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_impacket_secretdump.yml.tmpMD5=C4E71D9EB38110CDE59313469988C466,SHA256=A0AABE6675C672AAE1FF95F8E31E2655F6F2D15B1A47FD1F9FC8764B799BEB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.621{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_samr_pwset.yml.tmpMD5=6E9E148C429644BCF86700448E971B66,SHA256=F5C9A21FAB076DD60EB7E0B72616CE3A4612CA6FD94D1812D0CAB5D45A1E59B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.619{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source_kerberos3.yml.tmpMD5=CE59E5F82F5DEE0B762F52A002392761,SHA256=00913B7C64A3A546A8321C88247D80482663B5E7D527B0BD0984D291F0A00FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.617{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_task_write.yml.tmpMD5=2C0AC467355D2295705BBC7FD92CE35E,SHA256=0166D7874E83270F8FA459B2ECD41EFC74D211DAD17BB504BD82479654EF4D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.615{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_iso_file_recent.yml.tmpMD5=09000D78375572CF5B09697022504516,SHA256=97CCE4D090B4FC64D82B1BED4F6292BA783F4E5773B2CBC466FF31A1DA1FF974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.612{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_mal_octopus_scanner.yml.tmpMD5=6BAFFBC72516F54C3D4512A0C0E21B7A,SHA256=A0C7989F046EE2547A820AA605F3C5B124B59A8262137F4FF0162D7FC2616D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.611{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_volume_shadow_copy_mount.yml.tmpMD5=22C19AFE2ACBA47D083E1B67A8A5C8BC,SHA256=C4455654B4DC18FE8FC283885D60B281EA03A08F42E987238B77F82E9820A63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.609{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_mimikatz_kirbi_file_creation.yml.tmpMD5=FF353DFBECCEAF4645270949C32BD059,SHA256=AC5426C87F94856039B1D5B3F3C6BEBD99D70E0DFEA36CFDCEDC4FA3881B3EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.608{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_wmi_persistence_script_event_consumer_write.yml.tmpMD5=CC07D5C639C57FEA20B6EBEC2DEDE843,SHA256=3FEDAEBF8EDDE3B3BB3071CD3BD0A80893C1F46FBBDE8510B2F30BB9F81CF00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.606{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_dpapi_domain_masterkey_backup_attempt.yml.tmpMD5=8BADE7C779614565F0BC5282BDE4414B,SHA256=A591058D99BA618A47B05A560465C4AEE3299C189AB0DC0AED4569B043BC36FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.606{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_service_installation_folder.yml.tmpMD5=F592DC1B728EB2D44B493644175D0201,SHA256=6BC7737C80ACD1E9196579C39C1BF3BCA60F9839DF44E64EDEA6C0C7E3CB8869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.605{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_diagtrack_eop_default_login_username.yml.tmpMD5=67015B29BC01187AC5395D07125F8062,SHA256=E0E3F254C5FE147CE2B4B8D5470F26716E310BBD3C9C6ACF50CE30B016E14673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.601{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_use_mshta_services_security.yml.tmpMD5=875F917692BAF497EE3B07FF7074C6E7,SHA256=265EFBD1B275EA2400BD4C19833CFBE2518C11E8C29DDDF95C5B3E17DC695092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.599{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_clr_logs.yml.tmpMD5=361F984CF158B89961DC03856607C9F0,SHA256=4369DC626FEF47431FFFE0EC553266ADB1D532B66AFBA79F0C89E35D9D300209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.596{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_add_domain_trust.yml.tmpMD5=BD877E1B02F5DEE833356BFB2E5B79D4,SHA256=731BA84CC7BF8B39A4603D14D50858C516AF17586A9DDFB3A74ED11809588206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.593{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_scheduled_task_deletion.yml.tmpMD5=52974EFB56A083B2CC03A3F19C2E2EE4,SHA256=B44EF9FBFD250482335AA5487F4BC0CE9851E0B5BC782E5A2B1FDFDE7F133D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.591{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_sysmon_channel_reference_deletion.yml.tmpMD5=5FB34C1AF9DED785F63F568CFA6E1545,SHA256=DEFA50A07C81E152C5BFE4D6E1CC83275EBF9855A8D42A8D51D798BA855AD37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.586{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_stdin_services_security.yml.tmpMD5=405FFD54AF161DB23C55C2673CA4B02E,SHA256=233882676EFCDAD256B7AE3845A08C4866A694E12FD50FFBC8CD3407A8C6AC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.580{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_service_install_pdqdeploy_runner.yml.tmpMD5=BE960FE047D649991A8DB909FE1DA3DE,SHA256=F73E6776CE778690CCF297569AEC3D212E75C8DAB974C02A6A6A320735BBF3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.580{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_scm_database_privileged_operation.yml.tmpMD5=1DF4FF7889D3C3BCA74235871243EBF7,SHA256=FDC043450B4E8116309D860B36D6269C4D0E854405D4559B362F9A367369D484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.577{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_lpe_indicators_tabtip.yml.tmpMD5=EED887EA0123F5BD3E88B1B953EA078B,SHA256=8D25EBD33A11F0FA6AF39ED2DFDB081B0AB7613A76DDF6B2978CDA4C43FA82C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.574{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_exchange_aspx_write.yml.tmpMD5=E450B0E572F841B22B75DFB2819CB2C6,SHA256=AA2F006BFC34B04F9292B2912B2F5B044B9BE8158FDEECFE735431E9BB47BC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.571{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_sam_dump.yml.tmpMD5=21F1832B5504F99BBB4C2DC806E06425,SHA256=C31161791EFB25F957A8B3760E231FB71AB95B5D20A454DD900C6A1402DE2FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.570{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_atsvc_task.yml.tmpMD5=40B2A8938956308FE50788501A29154D,SHA256=6C5BDC5647C21862EEBCB7C39A1B1758DE173E327FE826B3D8AD1E89CB975371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.566{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_mal_creddumper.yml.tmpMD5=51675C0B9C3B586A4C30B7146ED3185E,SHA256=5A87475DEEC1283BD0F4E1B1ABDB8170CF9D716E23CCE4A6453A233C65C9AF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.561{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_winword_cve_2021_40444.yml.tmpMD5=691E80E4DF9AC6B82A38E6AE19ED9107,SHA256=3296C89472EFABBCD3938170F4B9E9D8F7CAFB1CCA6234010AD1EDA63198E00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.559{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_winrm_awl_bypass.yml.tmpMD5=1C91D0722AAFF305256F0540C8A29E29,SHA256=AC4F04CCC37494F114A7F6ED4C83287633761D452B6EB00780A133836D80D1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.557{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2021_41379_msi_lpe.yml.tmpMD5=9D7706065A3E2D9C8862071521629162,SHA256=A22943B1DC82A9058AE501FBD61E552B191E44C4B6D6471206D807AF57DD357A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.555{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_codeintegrity_check_failure.yml.tmpMD5=1BE0C9ADC09BB7A2B87CFF42EF0AC944,SHA256=76000B2E701BCC745D99477F6D265923E373E872C14190F7F732B81475FF5BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.553{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_werfault_dll_hijacking.yml.tmpMD5=71CC4109F0FEBF8CC7B1CD8207729B63,SHA256=975F4AFB5A8B4E904CDCA4AA35D1D3A9AEA5FC0C0E4F71E01DB742AF59E6ACD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.551{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_apt_slingshot.yml.tmpMD5=798F408075A2B53E6E9BE3DF92B45C13,SHA256=C71AAB1C765236F72F1E7B82EE73C6B1B2BB589D95F5631DE09FC30CFA9DBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.550{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_rc4_kerberos.yml.tmpMD5=616F9FF2905AD80198A3985FDFEFD32E,SHA256=DFDE513EF214853D8EADD77462B1AA6AC58EBCF4E9525C24FF3B60481F536B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.548{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_powershell_script_installed_as_service.yml.tmpMD5=A92D5D1D14347F5619C69BE475BDE2C4,SHA256=5FC0ACE01E2987F290A0D2934BA5573BB6843B5FD0599D66229AEC9A1EC76A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.547{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_ad_user_enumeration.yml.tmpMD5=DDD75440B9AD919CD71E649464006D1E,SHA256=028698ED50D8225B996488D959FB195B352A48C70197A7287404B2AEA2228BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.544{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_ripzip_attack.yml.tmpMD5=A93D236728E1EB3A695DC6E5A72885F5,SHA256=E49238E97DA9C7E435A9DF0A9F383D138A12C64138B67342F7CBB407F783F418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.542{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_powershell_startup_shortcuts.yml.tmpMD5=E3F8C2F073FC6E8F752631F1788B3534,SHA256=FDE7BC8FDB0C9EBB52B741D7DB1962C5466DB53364F1CA639F43EFE006BA9036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.540{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_sysinternals_sdelete_file_deletion.yml.tmpMD5=6212F1C19F6668F4F97DD9DA943A7CFB,SHA256=5AA28B6205D1C76CC6F8088BE68097702B1CF75ADF6BD55D54C01B5A9324945B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.538{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_ntds_dit.yml.tmpMD5=93CD7E2295BB4F75D41F8163562ED5E8,SHA256=80BB424875DF54B29613771335636A53E2C95E1251EDB2FC85106EB1416C57EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.535{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_adcs_certificate_template_configuration_vulnerability_eku.yml.tmpMD5=99357F4DD9BB8A82A23B9A5D9BBC2E05,SHA256=99873F1147E25A1E6AFDCD0A6757A8327200CE306DB20AE1CD9DE2CE62B544AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.531{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_alert_ruler.yml.tmpMD5=8281ED847DF7B29F6D35F7F054D24A0D,SHA256=E6B5CEADC42042F648951F4EAB52983350242D8E525E451F516BF16DDF3D7F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.530{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_access_susp_unattend_xml.yml.tmpMD5=4ECD270CB78996E05F1CBBD7C1884C4B,SHA256=16B517E80D6E16E9B9D1D0B7515479A740ED88091310D31FF9ABA7D63D566EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.527{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_eventlog_cleared.yml.tmpMD5=F061FBBB6D77B85450299DE9BDDFFD3B,SHA256=905D1AC78B4038EAB18AFFE172CBE953D04723FB924766EB7CCC56AE45D648BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.525{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_service_installation.yml.tmpMD5=484F6F63A551148E38942AF92EF9D502,SHA256=CDDABD1388B5BB0518AE2E7587054133A76B2EAE704615508076C6E92D9A6B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.524{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_dhcp_config_failed.yml.tmpMD5=2B6CC7FCDC5BA9A3451BAED426FF3866,SHA256=446878DC0C0B6EB078F867C4ED11E77E2C92877514793D4C09AD9B1761E13F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.518{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_ad_replication_non_machine_account.yml.tmpMD5=36A0BE42CAC402589A4AB074422CB19C,SHA256=35EEFA9BB859114612D3A784437E26475491B186E651123506A94F79802B3CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.517{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_rdp_bluekeep_poc_scanner.yml.tmpMD5=426EE6827C3266C25191CCDA4275AE54,SHA256=1E66FCCEC95D7C512D2D3B85225252853132F3905A68A6E530B3EA112CDF3BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.515{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_lsasrv_ntlmv1.yml.tmpMD5=AE1F64D0EF9C1ED3DDC0F89D7F13907F,SHA256=9EA0622EB1C2DB255A032A8DF460B47971C658EA2CD1D5214B7E5B243F7E3CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.513{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_vssaudit_secevent_source_registration.yml.tmpMD5=C006882D2A77D7E1BEC33B51579089B8,SHA256=2BBEB2A9F9D5373DC6299A4809C9795F4056A80699FC8986978948D9FC8826C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.512{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_computer_name.yml.tmpMD5=874898C1579E21C3FB43174D489BDCB5,SHA256=E65D453F6D04F1D31B242B4B15C50DCF36DAF9C72D94DD979159A0768A850F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.510{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_tool_psexec.yml.tmpMD5=BEA7DD55FB6A4BD431E92408A7C11B66,SHA256=706E3A4935B65AA0A1F551EB398A689B87EE26E803AB6C7492D4C56977C97EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.508{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_lsass_access_non_system_account.yml.tmpMD5=CAF373DD2951A9D8F5D4F262FCDDE41E,SHA256=9A3D56C06017F4377F352132B785FF7099B5A355202997F4541C2F87059819E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.506{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_startup_folder_file_write.yml.tmpMD5=F7CC953B0B95755E4712B81F40D42B3D,SHA256=2CFB09FF3AFBF4153E4D6CA66DAB6D80B4585D77F141A64E571C8138F63A0D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.501{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_krbrelayup.yml.tmpMD5=4AC27E26B3AE7DAF81365057D31C095E,SHA256=203A9A17440F6B717DCB127143347007BA5D9094440FA355D7A64A0CD10223A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.499{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_creation_new_shim_database.yml.tmpMD5=7C5C263937DD7A807D43A2E60639583F,SHA256=178808A7050EDF469A3236E6AF3F0ED11601FE46DD5F31255C4F97D6022B286E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.497{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2021_1675_printspooler.yml.tmpMD5=B26771812922475B8F7DE2AF3BB379CC,SHA256=03F7291C6CF304A596FEA2DEB861BEB4B5BB561A3FEFC9C5E981BE5435E4C390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.496{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_ntfs_vuln_exploit.yml.tmpMD5=A15A84D5B851D2F960184F8A1FDB720F,SHA256=FDBBFD89B3BCF1B7DDA383E6A3F4651BF64280A8797A945C9620FF1ACC896058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.495{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_time_modification.yml.tmpMD5=A03887DBA325C5571048D0DE15C581EF,SHA256=B25BA1FFF3981C3C89B9D6E281D414C0EAD19D5C62D3BF68700DF28516C058EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.493{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_obfuscated_iex_services_security.yml.tmpMD5=3E30C74CB82A9FEDC8A9F4577EEF089E,SHA256=27EEE41F45B2A35EFA1F28A8EA53BEF0D9AD52F45222B5A477A8A9F2F85C4278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.492{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml.tmpMD5=15193962C6E25F4367670A19FFEA33D2,SHA256=E494AF2A8C4E5D2035A10AD544803B9A3F49F83B32DCF2105FDF488B7A7E35CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.490{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_rundll_services.yml.tmpMD5=79D487E9628E2C2E1EB661E53512902C,SHA256=74978FC6032479A5743569E7C4EECB4771994F0C74AAB8CB603F3CC32DE88641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.488{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_dcom_iertutil_dll_hijack.yml.tmpMD5=93A43F511959C2CCBABE19F42B70150A,SHA256=B961B58E462111AA8599CD71E87D0A9F57E721648F60BC33809AB8E1C9A38F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.487{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_stdin_services.yml.tmpMD5=CF9968785C8B8536D07FE445EC242E41,SHA256=B8A9448D22B61E0FD33ED6E65C200E42B06105B83F2436D124C11B877E84B7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.485{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_wpbbin_persistence.yml.tmpMD5=7E5989BFBD7A2C45D97EE9B4614BDCD5,SHA256=0204AE3716695BD646B3B9D603C8B5B3D7E732CD7A0FFCFCB99CED090BFDDEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.484{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_petitpotam_network_share.yml.tmpMD5=41DB88C9C814D6ED59C08F534B04DCF7,SHA256=8C2DAA65B8A76D11C261F04964721543E4655167673DD067B9DE00782223F459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.479{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_stdin_services_security.yml.tmpMD5=178D29D1910C799781FDA8CDDD8F9116,SHA256=AF7DEA2A24D99D4FCC45C9CBEE5EB8A4A388F95E72A6B3B54DF16AFF767BACA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.477{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_rename\orig--file_rename_win_not_dll_to_dll.yml.tmpMD5=9BFD24CA4A81406E2D799CF8D4F6EB48,SHA256=7FB74A8CD83936D27F04FBDF43B2AA70462CF9BC58CC25F242166AFF4E9E8B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.475{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cred_dump_tools_dropped_files.yml.tmpMD5=065DFD6062B7945DE025C684455A90F6,SHA256=A77A22266D8753E9C7E6CB5F7308383A6F66CB8951D332FDE6C47B234767A10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.474{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_raccess_sensitive_fext.yml.tmpMD5=498880C60C3582DA5FE89F56D6CCA8AA,SHA256=99BE731C16013871737917CBD6B041BA29FADDDD45EFF5D3C8382E2AD382B841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.471{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_dropper.yml.tmpMD5=3A1DCC3C039DF467E15BA41C74E41DBE,SHA256=66C4D9E6470153E58A3FCB8AB107692289B1C38069F7A5C25EED984A23571B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.469{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_dhcp_config.yml.tmpMD5=D6F5A7C949406D9AF0212B418E91861A,SHA256=5410F2817801AB88699EED5FEA515A1CFD1B39F8FCA22826140E3E1A42507D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.467{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_webshell_creation_detect.yml.tmpMD5=4CEA43117811388E747B4C8CD4ACB46A,SHA256=246D6C5A78A225EEF419D1BCDFE2082495E6CE6CBA1C3A4AFF933BB2450F0E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.464{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source.yml.tmpMD5=D849EF69D9D209C9E9F8378DA59BFF79,SHA256=8577346094BEFE7CF130B2F63C77C8F1F2488F56598BEEDD8D32C9DC28F239F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.462{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\response-sets\orig--aurora-lite.yml.sig.tmpMD5=6E0D7E30E1CBCE1DA3501784CA1D0C31,SHA256=BEBE462D1B76E0717630D643542C10F051DFE3752445098AF5D9688E2FAD0209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.460{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\response-sets\orig--aurora-lite.yml.tmpMD5=AAFCF1CC2453BAC632C241AADC0F3342,SHA256=93EAEE4E5430AA035E569DC69E7F7A047458C04DC189908D9EBAB438696C3B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.458{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigmarev.tmpMD5=707CD81919DEC2792A120D5838497081,SHA256=920D113064B0048DAC7F9C0B3842C7EE6A00B6C40E5CC147E20531731B72BBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.456{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_get_addbaccount.yml.tmpMD5=90A943313DB0FDBC14729BAC4FCBF2C4,SHA256=459254F6B9DB01C05A15645F84828E6C6E325052B24AAB7681CA1396555611AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.454{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_stdin.yml.tmpMD5=C31F53CB75CD64FE1D4B99B9BF9431AE,SHA256=09E732826D774F88C6B8E33E0532031AD243D54E9EBD0FEB2A36D6E0B5B907A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.453{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_invocation_specific.yml.tmpMD5=25890BB211AA9F8E7A269C53644A960A,SHA256=80C6F2436FCB49DB60BDBD52D23C5B99F45D8C9732DC61CD0DF69B5FA0888020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.451{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_remote_powershell_session.yml.tmpMD5=0F828CFD503A3C6D6B23B697FC288D51,SHA256=0BFAAE86A323FFE014B35205EB9BEB538BEF2465F8D3853E11776B507DD36558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.448{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_clip.yml.tmpMD5=210E9E401CAB87687558AA242DBC8863,SHA256=ABB301305650C7DE362AD95326AA0158D24BAAF8BE00FF0948E1D227812A7AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.446{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_powercat.yml.tmpMD5=8A6F7663E3463C8F0CF21AF8D5BABB72,SHA256=140C725E96FDCE98E77A07559334EE4DB62014745E084BA8449D7127279F170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.443{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_download.yml.tmpMD5=663C9569EFBB84C73DC97F880D8218DE,SHA256=30249CBE0ECC810F4FAC2B8930D37BD6AC3832C42D41EBE04302E42D2BA74ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.441{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_clear_powershell_history.yml.tmpMD5=220540E7EA759B6A177255431FEBB9ED,SHA256=826E337F401D94903BA90D4BD4575C731A3F791F2793815E39D5FB27DC8AF2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.439{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_syncappvpublishingserver_exe.yml.tmpMD5=6CDBDB16CBC07AE1ABB8C975D3A2B863,SHA256=A523650A896B3E54667A1015108A2DAC608F7E2BA3D6C34B0D59F2F767406973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.438{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_get_nettcpconnection.yml.tmpMD5=CF9A2061C9961FA8BB504872A105AED9,SHA256=F7C30A77C40B5C0749A73C6113BA4005F47F07ACCA5D9C6097D76DE1220EAA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.434{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_stdin.yml.tmpMD5=6D11EF3F7379CF2CCB387FE065BB4103,SHA256=3A209D7542CEBCDEB83AF5F1434D246599BBB52A0E2E39837554704A7632711C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.433{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_smb_share_reco.yml.tmpMD5=F3265696BFE04DB24C4599948ADC320A,SHA256=7F2EBDF6C365545C7611646532B7C5A23E8AE1E122FF098E1A09DB9E22F9D7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.426{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_zip_compress.yml.tmpMD5=3ED98A4A32F9EB3366822A2A0B993565,SHA256=AE3014FEB1A9E3FAEAB87C42AC8241D49BF65FBD92460BFFB30C0960C7C1663F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.424{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_var.yml.tmpMD5=36B2D87C8AECCFA14B3367EED188CFF8,SHA256=C082FC09CB1E940157350D96BB679C17820E8F9A15564202A245265A7E16A160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.423{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_decompress_commands.yml.tmpMD5=BBD0560BC1EE6C861265AE501EDB7BA8,SHA256=74654EF76652769BF8CBAF9D8E1418575D1A0EF147A706EBA4133342E209686F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.421{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_get_clipboard.yml.tmpMD5=622A00BEDCF610994FB1FE1751935999,SHA256=03EC89BBABA4D036DEA00724873D6D1874B4AA92B86C12AE445DFD8DD3B124D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.420{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=F0034867AB83E7F659CACC4B1C06D75F,SHA256=FB0F88845B2934FBE6B993F1486D88695C06FB60B06F89C95D296A439ECCD888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.418{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=2FC20E61F7933D327B4DA3EFA7673B6C,SHA256=D150EB5D6BFE048002C73EB45A7F1B16020F425082465C7D33C37342FACBB1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.416{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_obfuscated_iex.yml.tmpMD5=C0994CDD7AE38ACD439BC1F54ACE2DFF,SHA256=D50D245BE4E77F3C3F3E9E28830454C99030F34124CDBF0178973DB86A5675A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.415{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_rundll.yml.tmpMD5=F8A32B80034E56CC0FD1EFF49E7EE826,SHA256=5102985E8549D278B3443A2194C8E846B73F073BE12DBC3B9B6D3DCAD7A85D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.413{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_local_group_reco.yml.tmpMD5=5E971E2B7F6386086464349982BCBC52,SHA256=E2AE0532C6FC95801C411C74E113EF9691F9CA0633539526032261080131A59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.408{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_ad_group_reco.yml.tmpMD5=1580228CAE8E627A7537AAFBFD56B442,SHA256=CE954F8A14CBFB3460EF4705435913A9F26FB6C3CF4E783C5C7B51ADDF3E268E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.406{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_alternate_powershell_hosts.yml.tmpMD5=0CA815E828B3CE05962E2351D8E6D72F,SHA256=E9011CD740E2B476993C1E87A757FCF22E9B1090E8AA6B7AC86E665F6583CE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.404{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_clip.yml.tmpMD5=7C5065612063FB136E777FE1A4477863,SHA256=F83C49B853D1564CBA2ED5BFE7E4FBDF0A37463DB4E7598512A5155CC0B0C453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.402{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=DFA9B2EE183B324A76591E70F7FDD84E,SHA256=7AC7C63B8EA31C7C4AFC11C6EFAA7CAEB91378E3C75A0F4296985F526275F848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.399{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_invocation_generic.yml.tmpMD5=CB9718AFED4C6BB90CC1A8979294E255,SHA256=3D0106F0110A33439B05AE8B1FBDA8D26B835208823B51C49C5093D354A3BFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.395{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_var.yml.tmpMD5=3D0B4AD97B14583D09611836378C39F7,SHA256=025046E7EE59C73131F1C7CFDB265B31B3A645FCAE0A162B9FB87451F6339C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.394{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_compress.yml.tmpMD5=18B7E6939B134976E0897B4A84945AE9,SHA256=49A6AAF87B79C71550DE9C8408A96E52FE1D096753C5132C528EA2405EFE41D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.392{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_reset_computermachinepassword.yml.tmpMD5=AF98BE937A8D987DCDB8EB6AD8462E55,SHA256=D857D1693D8ABC27B4898642CEDA4D5E2156ECB9FD5A81B23F3F830516CFE24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.391{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_bad_opsec_artifacts.yml.tmpMD5=A20D80EA861555866311D36C8E738415,SHA256=4C90F01845C12AE4B7526C87721B84BCC94D9664B161D014A4F5BEB76A7B3438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.389{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_alternate_powershell_hosts.yml.tmpMD5=4EC026675CCDB621717D3471E6B49EE9,SHA256=435468E86FF9375E3F9E4188B25E2AB202677926DDC947E1D249D52E95EA0E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.388{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_exe_calling_ps.yml.tmpMD5=3FCB87F13AA74D9BA8A733D3856634B9,SHA256=7F37EE3F897A6996B8660B0212243C66F01383F3400C9B55E6BB7454EED5C13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.386{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_renamed_powershell.yml.tmpMD5=2917B8F6AADF499F919EDEFC68D37302,SHA256=B5B22BA4CE89824205FCE3B227EB082C808D0F41D9587952BBDC2B0A35515B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.383{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_powercat.yml.tmpMD5=E7135C46F574A6648D7ECE71C543DB58,SHA256=C171DD76A3C66693EB23952651E0A3E64798C69503B7D5C96E06F8D263825B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.381{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_delete_volume_shadow_copies.yml.tmpMD5=EC3DFA8CBAC6C87AE32DBB5DC9351ADF,SHA256=270F28B1D9CA20C01CA7962DF7A158FE576CFEAF8B736B2EC72B6E1B9628ED13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.379{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_tamper_with_windows_defender.yml.tmpMD5=6954B7853FAE94615637BACFE8AA9A0B,SHA256=7E1AD8805C4631E7D5C4D40EEC5979388378C891B6F9FD1593027ACD5E40391D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.379{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_remote_powershell_session.yml.tmpMD5=53CEED8FEBDCFE2EFE258F68E37496EE,SHA256=86E4A0D26D48DDD0B3FB1F2923572D9C02BADB2194E3BD291433F0942564AEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.377{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_get_nettcpconnection.yml.tmpMD5=E26D077F4503DD918C38840698864D5B,SHA256=5000F09A0D0D02345E98CA311F2B989B73FF059FD78BDC5EA25F593746780279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.374{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_downgrade_attack.yml.tmpMD5=EB397DD14E4A0DC4285CEF4F83877157,SHA256=A9CDF6F2238E6D4BF2992D3D67737B5275138A57C06B7DDF78C664C85CC47E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.373{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_download.yml.tmpMD5=4A204372B27040BBD81DD710FBF7F33A,SHA256=067C027C8E100CB413D6D772A074B952D8BF72D94BCCF6FE0F7B60916AE85F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.368{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_zip_compress.yml.tmpMD5=7B9A44CC9AFF159343E620CD7C95414C,SHA256=32C6444EEBF3E5F755AE5D1338816BB05C85533C4D0ABFB8F13C763BDCC37A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.367{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=D41E40FB09D9B68D36A9C794B9568394,SHA256=026D60F2B0D43685C12DD1A823D9A2F384DEBB148743733452BB1A25FC2FCD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.366{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_xor_commandline.yml.tmpMD5=307D41082C53187B0BBE8FC67CF025E7,SHA256=5B408EF7601E5BD15A2D967BBFA958C9FC55018EA38E473987342D2AC0ACA98F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.364{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_wsman_com_provider_no_powershell.yml.tmpMD5=3C1D2467D8CDF47A564B71A962A8D8EF,SHA256=483085DF15500849F4844036EEB231A9DEF6D89FA9957B95FFF172879DE4FDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.358{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_clear_eventlog.yml.tmpMD5=4EEB078E1EBD19109F0432ED64A93407,SHA256=791DA52D8C479F5F92A0483BFDA6102A099335F075CE392059A55EAA2EF175F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.357{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_file_and_directory_discovery.yml.tmpMD5=2D09F5ACEF641CCD4250C89548940BE9,SHA256=608996D5485B32A4E0EA002E2F97AB0C232857C6516336C5FDACD868357593CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.354{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_mutexverifiers_lolscript_count.yml.tmpMD5=33AE8CCE95E7E235D9D6B495F69856CA,SHA256=941A39DF982AAC8087FBE0A3BC47EFD17027F7DA9898FE14386323E7D927B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.351{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_etw_trace_evasion.yml.tmpMD5=3F20ADE368F5FD3C5AFB07AC13DB5EE9,SHA256=15F0E5EE85CE876D9C29AC73EA9C0CDDB342DB786574AA41B80131196A561BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.350{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_adrecon_execution.yml.tmpMD5=CC6DE37F44A24A81FDC2B3C7975DF934,SHA256=710C1FE039084FFA04F3C37AA754683BAB260D65E29763A1594301DF035ADD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.347{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_malicious_commandlets.yml.tmpMD5=926449E0FD55B6001A6221BFFF46D76C,SHA256=73CA7BAEFDB82CB19C24736221E4C365502A440C879B628D1BC6A978E82178E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.345{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_proxy_scripts.yml.tmpMD5=889E959FDE9F3F3534848DAB522D5299,SHA256=51B60218F63608D86A66C3C21018A7414D68BAB6CD8B04D21DA1B218A6A60A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.343{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_childitem_bookmarks.yml.tmpMD5=FDFF5AC5BE6DB6C3BE9DBA5EE81A94AD,SHA256=6517F92155598A07C946654E7D85539D906E33A906DDC6376633015A37A309BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.339{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_recon_export.yml.tmpMD5=48E0089F73A0326B6238F567D2CC5025,SHA256=2D1E09EE645316C60E0E650CC525223E144F5D2992D9EFC8AEE3C1AA7B82E412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.337{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_keywords.yml.tmpMD5=BEE03176AE386E694B9670177098D6D2,SHA256=67F932F358295DFEAEF5207B09DC08C9D0C4CA7C0069ECF001C4F43545993D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.333{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_automated_collection.yml.tmpMD5=E826BFF0652C9A9EE3F334251A12DE46,SHA256=A0390D175866BE070E088B221D22D7B07F43F6422805E90B9005FBA10E560E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.331{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_remote_session_creation.yml.tmpMD5=39E97C9A7EC6FC9248720D5B06FF6BF2,SHA256=64E71465D0C4AB42D64266172E1074FC02432231E540FBBEAAFCCAA6E5BD80AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.330{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_obfuscated_iex.yml.tmpMD5=42074C71CEDB86F5358FD3031EB07396,SHA256=239E46B2B3C1E1A541207C58E7250698BB1D5F7BBD4F89CF88A67ACF77E38212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.328{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_trigger_profiles.yml.tmpMD5=D26113DC1014E40F4F6C2D27655FEC93,SHA256=C6BD2C19557EF69CA77E531668A64E71FE26B2F7957C8DDFB107F9E27050234C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.326{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_capture_screenshots.yml.tmpMD5=EF70BA9FDCA2FDFB0EDA4D25FDEDC470,SHA256=DF6FBA0AEF1AAF96EC861A04B81205D633798AB2619AF47C834FA38268A8AE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.325{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_addefaultdomainpasswordpolicy.yml.tmpMD5=F824F6AE142FEC46965679B948A23215,SHA256=6AAB1D180F05AFB95098E3E83C412B06C008E221615CC7EE793BCCB17DF7DB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.323{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_wallpaper.yml.tmpMD5=986FF4EAD4E2F2E6622BB2CB5FC70823,SHA256=9CB4A40E76FB331A6076F68818350D41BD3BDF1F37231D64AC6C24199A262083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.322{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_clip.yml.tmpMD5=6A2BEB9509834B4DE1207F102EEE466C,SHA256=6E4080C34765539BCAA1F7CA5A1EAAEDD8338D8CCBB4045B84B2E3A6C2893337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.320{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_modify_group_policy_settings.yml.tmpMD5=B6B7838AF9A2520A6D6CFF10CA30B6A1,SHA256=29AE3D66EE77FD3892F735DBA9AED851E0B84BA132C265F636F1A0ABF54E76D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.319{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_command_remote.yml.tmpMD5=5F59C0108B3E7656E5113C0CE6B1CE8A,SHA256=EB93F2E4BA477D7B361DB4D785A380F7303CE3CE6D63C63436E9594DC858FB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.317{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=5836C9C08F0306BFC03A1A53B1983FCF,SHA256=EFED8C7648030E7ABCD3139A20D04B3260C192940C305C5EADD1FBABE74AC5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.315{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_test_netconnection.yml.tmpMD5=02AA6CB89F239F8CB047BD28ADB33D7B,SHA256=D682B7F2EC6CCB45D04E55D84979737BFD14847FDD9038D14FC7A90F2D4E21F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.312{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_request_kerberos_ticket.yml.tmpMD5=350E52795613B309DF9F14D90FDE246D,SHA256=959DA997F38CA4E8FF81360F4C8388F4FED7D5AB88632182705D05CD92A1F6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.310{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_remove_item_path.yml.tmpMD5=47BC54DBCE19A7FAFD46DA31CA556103,SHA256=440D4E68C5511ADBA7270E2480717E72130C5D1D883D4656BF1A95FAA6043E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.308{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_malicious_keywords.yml.tmpMD5=AD3DD51501BD51B285B41A9FB7798CC7,SHA256=948B71C9FBEEA5622D1CE60E63F2C905EEFEAD97098C787CADA217DE31FFAB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.307{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_disable_psreadline_command_history.yml.tmpMD5=8A1273F494D8D8EAF75ED81762F4E4AE,SHA256=EBA950F2256DAB7817C460F3F8FBDDC086C28E6B4CFEE67B73524B4CFE985289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.306{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_adcomputer.yml.tmpMD5=66A72E9CA805489A0EAC0087DDA72681,SHA256=7CBA5857BDCDB7DFFF2261F74E381D35EC5D421580CE40802F42A686C546B82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.304{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_gpo.yml.tmpMD5=CDB4E49A4487C69919079B07837D3A83,SHA256=DD8E0D2E947A854AD339E9B693A0F1872687C048CBD0E05041E42352E592427C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.303{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invocation_generic.yml.tmpMD5=56482886F0C57E8F03566F2ED02C88EF,SHA256=6DEA7B2F72B8CFA75CCF793F01E0E5708D2E035F85BAB61FE5C256BCBC6A1271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.301{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_shadowcopy.yml.tmpMD5=A69D28600FD7021CB34E3D7E8F54BCC5,SHA256=BCB2C8539A45B63E7D40305C1822E04FA730130670255460D0E63B292763FD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.299{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_clip.yml.tmpMD5=1A40FED2014F53436265ACFF2A29E8E9,SHA256=CA0CAF9057E9FB900F1C3798497CDD929D17235BF848B6138FDBB891AE909F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.298{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_var.yml.tmpMD5=8569E6CAE047BBFB412A0EE8781435B8,SHA256=CB5D544BE33FB2B9912E9CF054B5DEFE10147A91097F7D2C3033CD4682456365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.296{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_data_compressed.yml.tmpMD5=71E5E26B4E07FE753B44BD8B31D10E79,SHA256=97ADC347A4414BBB80B492BD5E7FD603D434529FD4CD0690969BB53BE732F816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.294{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_create_volume_shadow_copy.yml.tmpMD5=2DED648D4C385FB7B49DEA1D39661E6C,SHA256=6ECE0FE0767C963973C08382C1A7C0F17641DD02BA3CE271258A51275C6E4BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.292{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_syncappvpublishingserver_exe.yml.tmpMD5=0E7D0DA7BA023A999FAEAC20B722020A,SHA256=5CF85F0412E9606CC594D6D679FEA80DC4ECF16A591F914E19EBA6C1D6A09FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.291{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_msxml_com.yml.tmpMD5=C637AB43ADB100F827AD438E9D1543AF,SHA256=2E931E4ABC519FBED0FAAD91FD56BF32980B34C6CC5E54E75D4E17A4AF76144F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.289{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_ssl_keyword.yml.tmpMD5=8E0930699E6D781C26029D95828ABF2F,SHA256=A45A919306A31FED996FBCF153264E96B38E6A6D93A31A7927A8C6C5780B4DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.289{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_timestomp.yml.tmpMD5=F7D9B43D03055261CF7FF85DBCF05DD3,SHA256=FA34E322B81569ECDA46D2A8F6495E3A97DB5CCFD4FD91E1FCC0389E8BE36F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.286{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_nishang_malicious_commandlets.yml.tmpMD5=7A896E2D21A9364B3EEA01219DCBFD30,SHA256=D9318AA549F12B8E688F33CD3B599A1933F05612887264B452B092DA1E2FCFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.285{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_directory_enum.yml.tmpMD5=B3DAD26F046A19D1FD097A917B3D36DA,SHA256=AF01A03B937173563DA90D9AF14A9C81A953FB9E2FE3D7D7DAB1DF768DE8005A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.283{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_networkcredential.yml.tmpMD5=B5189634847F6C299D3384C5C8F96540,SHA256=BA3D327A67CDCD5649C9B9D7EE14B074D7CDC870B4CBD25EEB16AAC05672FE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.282{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cor_profiler.yml.tmpMD5=DC143313C805B0B2CB3FDD10DDC6B2C8,SHA256=B39C08E229E9A8925791421E23053D58761A1B059D67CEE0F0B95C67AF6F75A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.280{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_detect_vm_env.yml.tmpMD5=7DF9E50A3EF57055466A0128754A34BF,SHA256=489E751ED1071D60EE9753149132D6891B63B64F1C355C35BE5AFAA9AE3A00C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.279{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_xml_iex.yml.tmpMD5=83A6FDB9B92BC3DAE45CA1904DB4B785,SHA256=20FC7E5DE80978CAA82BB3883D3750121977B46EBCF081B75A6AD97C7A07CE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.277{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_powerview_malicious_commandlets.yml.tmpMD5=D049B0F1108DBCA98C2412B72EE7BF8A,SHA256=8A5DE7874D7EEF8FFCD74656DFCD66C62F18AB4E58779656B3E4FF133170ABD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.276{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_invocation_lolscript.yml.tmpMD5=7FEA6CB3F6251F71A2F875F9220140EF,SHA256=B40FD201A56EBDD4EEB3654F056A393B76C1B84EF24C55B3DF6ACCB98CD786CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.273{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_windowstyle.yml.tmpMD5=9D9DA866BFBD17A182700D13E60E3FB7,SHA256=72099182001B8A9776FFA95F802EF44D306D4A560C4CA19C4A24D1D6D2BF3C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.272{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_disable_windowsoptionalfeature.yml.tmpMD5=7F0732D41AA481E67C5E03FC6B8CB942,SHA256=6FEB7350E56E5A1AA254DDA883FB7144EC4275CB1CFB34B66A6991EFE809F47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.272{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_azurehound_commands.yml.tmpMD5=8241DBA0A0D407831B6315C4C7F40C45,SHA256=81E688FDC72B5A019BADA44EFCA767203D57C8AEDFF6CE65C85B11FC283DFEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.270{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_copy_item_system32.yml.tmpMD5=769435250CAA40F886402FD2DE220487,SHA256=42AFBE5EBBA2E482158BA2339A2CFA1CD23AD27D45D6AB08F3098929F0EE11DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.268{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=3E8EE0430EA2EF73FD0D12D4CF036D07,SHA256=40424582FB42A9BE8E779752AAFC6B055C517EB28260D9E1A5F3174DDD4916BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.264{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_store_file_in_alternate_data_stream.yml.tmpMD5=ED96B668CD28EF868A7F17D45DF26DE9,SHA256=D77EBF3669EB49C88D95E60CD805BBEB977D828D13E08732F0D09A4DE06BD49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.262{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_dnsexfiltration.yml.tmpMD5=F69E61587B406BE350A444101F709F07,SHA256=E869A2C0C4E596F4DB83AC02BCA495827C17685FE95D2EE4B9A42B2831A19366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.261{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_gettypefromclsid.yml.tmpMD5=9B64490754A35C2D35ED236CD386A681,SHA256=B7BF3152743A8C1BC8548B9FE9255B581B3545324F2148A8BD70130D72571C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.260{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_var.yml.tmpMD5=E92BE2DE47B01885603E7C7FC32B771B,SHA256=CE1B4BD87CE3E37F28E1A116CE54EA40D930FB6ED526719439E6DDE4AD17440B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.257{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enable_psremoting.yml.tmpMD5=EB61F43F4957C3FE21312E1FB2D36F1B,SHA256=AD92644197A7E742472A2248ECB0CB252D338E08EFA9ED85A1EF5A341A77E591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.256{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_dump_password_windows_credential_manager.yml.tmpMD5=964AE71143153C9D93F41921100A49E9,SHA256=7AE55560144FB56C1EF2CE66810795F13D5F76FCCC093CF8892FB3D372D26091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.254{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_unblock_file.yml.tmpMD5=2204E980210C56B37A0732989615CF17,SHA256=6FCDA38EB37596F65C2996DAB5EEF612E473D5C3C599AC14D54ADE736A4F80D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.251{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_stdin.yml.tmpMD5=DEF543621A96BD650C1891ECE970CEFF,SHA256=53F179D7B53AE5BAC1BF044C52090014F2FA5D646EA732F5503F8DDA85B2592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.250{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_win_defender_exclusions_added.yml.tmpMD5=5651CA2E62106B74EAC7F370A18D780C,SHA256=671B7BBE601AD0DDB1ECF96C133F3B439A1AC07BABEE63EA7DD433AD7BA56471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.246{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_localuser.yml.tmpMD5=ACDA46A4E384876D66EDBC8DD8622DE8,SHA256=4DCE39419692A88CAEA889DF08BD81498485808EEE6B1C4AFAE1D098A84636EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.245{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_write_eventlog.yml.tmpMD5=C76B7C7468FD3146126DC80428F83910,SHA256=FAF3ED9232D0950B24743577336A6F9708906AC649D1A6D4E3289F8CB8F6FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.244{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mail_acces.yml.tmpMD5=26D1F1210FC841ABD6F3D61274214616,SHA256=23A750D65F94A631C85E04EA84028FD27F57AE20B4C70F130D226F557695C3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.241{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_potential_invoke_mimikatz.yml.tmpMD5=F690AE8ABBC3FA5DD5AC26103B41B431,SHA256=3EB692A5C46434E44264ABC4E92D3EC1458EBB917B1487DF99E32E8CFADA90B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.239{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_follina_execution.yml.tmpMD5=3DD7794F7FCEA95C16316CBFE269CEC2,SHA256=2E2179EA7627468CA75A27F102BBCE9A241373673778D4C6B3382A9A4B50EE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.237{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_clearing_windows_console_history.yml.tmpMD5=7DFB029A51BB514D6BF17E2A59C0EC50,SHA256=8D3EEEB43BEA0F261632C6C219B992DAC98BC896238B72C05F2FA738262E3573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.236{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_ad_group_reco.yml.tmpMD5=0303BED148DA1F0EEA37F0FB73267C1E,SHA256=3E668404C49760D8166997000503D46393FA23DE03844C6C4D3E3750DADEB331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.234{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mounted_share_deletion.yml.tmpMD5=A51D79A0B575F5E9B65740FF8B390248,SHA256=88536AAB3727C3B603AF30B1D64670EB1DCE74526E8C8CB53E8B4065A28888B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.233{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_tamper_defender.yml.tmpMD5=F4A5F6D37923F3CF03C1BE99A0766494,SHA256=D0F1E8BF55DF0C027DEEDFA3422FFC62076920E6558D20AD79193F2DC0DF0F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.231{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_as_rep_roasting.yml.tmpMD5=953566307173DB5CEC2045E70F2F77FA,SHA256=F8A63A68FE54E7A0065EDD9EB1E52A23F68E08F6075D0BB8B25075D2B02BC43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.229{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_run_from_mount_diskimage.yml.tmpMD5=EA5234019D8D22E56054DF651E9353FF,SHA256=8F148945977DA29DF67E470C6B9C0714872DE766B042A295FD7E7CE505F6584B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.228{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_adreplaccount.yml.tmpMD5=F99240637D8709A379B7BF6FFA01FD96,SHA256=095AC4268DAA30807748191C86BF85DC3F98D8E45298B5FC77DA7B9CB03D42F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.227{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_upload.yml.tmpMD5=2C99E1FB1CE4852EB417307A0EB08AAC,SHA256=84EB28E85DFF0588146C17A262AC41AAD407856757C45EFB7AA0DA515753806D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.225{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_web_request.yml.tmpMD5=E7058CD98488966EB83373A879B14645,SHA256=B67074AD3BA2311D323D0921121F38BEFF2E630F6ABB871D5330F0A3415B5E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.224{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_psattack.yml.tmpMD5=0522FED53420F258AD5BA27E106B6255,SHA256=FA8B45F8BA93464800029789FBED1A5C5661CACD372D3BD9F0FA275B4107C7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.222{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invocation_specific.yml.tmpMD5=E63AC43F507E7E4B3AC7A1261D77E891,SHA256=EF37BD7089E99D5B1AB7778411D1D4F40A4E167A5CEDCA9B1C96B225C72E9BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.221{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_getprocess_lsass.yml.tmpMD5=635071050ABA657BE0ABAB6373677F5B,SHA256=77F297DB2D88EB8A562796A41E656CBF274DB7DEE09160958135BB551BD9E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.220{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_dnscat_execution.yml.tmpMD5=42A5B4FBBCBF8B803F411257476E2F69,SHA256=F89883FCE9E00666CF8C1ACB06EA96F7FAE8CE525B6E6A49177A0C345CE4EC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.218{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_software_discovery.yml.tmpMD5=15A9970F0CCD379E23CD9C8AC8E6DD9A,SHA256=DA4F8DE3CA495A9EFFDB2AAFB399243B2B68B729EB6D191E2C8B75CD3390C4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.218{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_remove_adgroupmember.yml.tmpMD5=1C6C111F4E8EFEEFCEB1D87EF504BDA8,SHA256=2BF820164B402682951F5C128562623DDA72B5C2E427AEBA92F4C09C5E67FB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.216{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_memorydump_getstoragediagnosticinfo.yml.tmpMD5=E6F8746B878169ADC44C9DE7EA050DD8,SHA256=E5540450F34A080BE702EC3186C7CC82FF963D729C79D10E49335F05347BC092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.214{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_smb_share_reco.yml.tmpMD5=A5BFB3ECDAA67401D739BC5EC7B25F5F,SHA256=62D927EAA4C375AA81ECE39C344501A9A07BC099AC95F77EBFFA9D10E170D817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.213{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_execute_batch_script.yml.tmpMD5=CE299F18111B1C567B59D8B782429ED8,SHA256=63AFF9FDB6114871CBD67EFDD0B2E242DE3BA071E742F79A030BB828314D7630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.212{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_adgroup.yml.tmpMD5=5EE5CB5711B09CA37B9A4D4D70C9DD04,SHA256=527DB1435D3093B3E35C6056E0FFD97DF4ACAC1B8BF8964D0B9CA0A128979E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.211{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_win32_product_install_msi.yml.tmpMD5=0237460DACB014985609A563984537B9,SHA256=A30229B899D3A785326D583A36075E07DE9E3BE59AE7438F0D0D6451FC1EB936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.209{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_invocation_lolscript_count.yml.tmpMD5=9376F35A108C9A59D9A5ECEB4A88F8B3,SHA256=A5FDFFD5221505EBB8CBB2F4AB0A7F343EB6AA7FF8AD23C4AD41BCB69B9204D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.208{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cmdlet_scheduled_task.yml.tmpMD5=BBBEDB10E8D73FB28E025EB38FAB8FC9,SHA256=91B1504C086A304D242E1E7585931047C684BC7EEB9FB397A2210AEB0FFF189E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.206{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_import_module_susp_dirs.yml.tmpMD5=BF92AF7E0FCEC2FCA452AF062405155C,SHA256=2A6FC60A7F76C4534C21AA002932F4481710A68D39A76F11112A72C5A83EF55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.204{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_security_software_discovery.yml.tmpMD5=98981250B041B568DBC45F5C1D9CACCB,SHA256=621499861A92645B39123B2BA800ED5BBD93831E8D73DB9320F9E83FE5782AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.202{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_windows_firewall_profile_disabled.yml.tmpMD5=8D8B68676B6FDEC551EB8F47F15B232D,SHA256=E45C9982B3FCE0630AB7BDA68560C97C51D2A55E762A740E40DCD47099314F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.201{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_new_psdrive.yml.tmpMD5=533DD602CF5DF18D28391C127132B9F6,SHA256=A56EAC7AC96696FBC2072B27AB91F8A5635E1DC78762CDCF9D3BF684352F64F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.200{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mount_diskimage.yml.tmpMD5=FD37E12E4C9AF6E71466759407E9FD61,SHA256=255617CE4A5C7A7D122C6D2EA7D43B862A8A5A7F9949E18B79725B8D342C9D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.198{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_rundll.yml.tmpMD5=963C7ACA7658079D0E9462F0A0BA4211,SHA256=3EAF39663BAEB3A9F3EC2997BB7A1327CA5D910844CE7513FB59C62B81C9D503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.195{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_process.yml.tmpMD5=0F7D35E34A67A07FF295534464B019D5,SHA256=11D1733D43C8FDFF0BF406924D077CAF62238A246E9A501026308BE915466F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.194{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_compress.yml.tmpMD5=EF56D4397EC715B8CC37EF142047813F,SHA256=79BFC8014C513072E64D09581B9BBB9877B99581CFA65DB0E9CC927B74DCBBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.192{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_zip_compress.yml.tmpMD5=EA210864D74D43793108DC72B274FA3D,SHA256=467F33FB68DA30FCE9D8B809AF119D09CD227F8C19416B78CE5A98C8FE42002A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.191{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DD8C1A529A832D2887FE669E65DA6B80,SHA256=12A8338931CF9A2CFC47883286240DB2650E21B90F58258848BE08CF49E4662B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.190{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_ntfs_ads_access.yml.tmpMD5=8714B0BEB8DB662C97937505A23EF443,SHA256=7FBF71473E78DC0B6DE51395481FFFB92F13DEC8491C498A901B5AA406961A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.188{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_tamper_defender_remove_mppreference.yml.tmpMD5=945A6AE30FBA07AD60C958C1948074A2,SHA256=A409DC09F28277F787A27C4E5010F0478A8129230FB5C491853C69B55704C87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.186{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_start_process.yml.tmpMD5=9E113DE35833308EA32110B7C79261C6,SHA256=49F54DB6E17D145986951AA43FC02CDA5CF7B0084EAEBE73047C39F6D4CA15AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.182{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_icmp_exfiltration.yml.tmpMD5=F79F8362457B89BC6845C60A808A1957,SHA256=3792DF7FCCBEB9A286441F00F514B804FD05DAFE02821BB2D1334F7FDBDC6C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.180{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_accessing_win_api.yml.tmpMD5=579AEE844950BAE589B21F4020855995,SHA256=9E511B3850BAB9068E32E00C71A5BFEB19A2422EC6616ADF1B3370995A565E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.174{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_access_to_browser_login_data.yml.tmpMD5=194CE9C11A66FCC1176576479D68B6D4,SHA256=35FBA3E2FFF43DFDF80319BD609AFB8FD2F3F4C44E0973DBF37594AECDE7DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.173{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_send_mailmessage.yml.tmpMD5=C8A9BE74211C7E7AE9C8827132205EE9,SHA256=2768C62DD0ACB6F518789EB7B2E69080392E1D7BFDE25315A4273FCBD113AE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.171{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_extracting.yml.tmpMD5=747173B42F49D80E5768A37B74D8BE22,SHA256=B427A2B193FEA0B6423C1AA8432CA5A100B92CC190108049608C4286D3D1E3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.169{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_psasyncshell.yml.tmpMD5=D699F8B1855EAB576E4CBED26A73ABE8,SHA256=1CB7DA0871DFB728808D5B8C6FF75A0CF50F3CB420D4BF1EE2BE4A225B96F339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.165{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_keylogging.yml.tmpMD5=FB4602079D78AD547C221381EAB1BDAA,SHA256=A2A3596FE83C2072278D566FE1BB3E2B48424B808B93088F0E292585D2C6D488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.164{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enumerate_password_windows_credential_manager.yml.tmpMD5=781E987F1B7A9B15F2E782A01338C6E4,SHA256=F08419485C5E436DDFFC763CB3B2D2E023189A8036143F8270BC4A6252F7E7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.163{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_sensitive_file_discovery.yml.tmpMD5=78D524E87AA7D792EBFE227B6BC0B30D,SHA256=6BD324CC9129A4AF5691B66DBBF099E083C2BC99ADE976DD0BDD3F2601B6292E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.162{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_hyper_v_condlet.yml.tmpMD5=B0A90A3AFFEB91F1FB8A17A908CDE32A,SHA256=15875782B2ED0A11C1E8369B2F81548AC5BFDE377C6280E38EF9E6959AD7F0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.160{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_shellcode_b64.yml.tmpMD5=B729E93422B8C0F2A6CC5C894CDD51DB,SHA256=5973295455E9E83F190AA5A152476B1F0F8529B70D552EAF685B3E04271B71F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.159{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_prompt_credentials.yml.tmpMD5=1753F9E06C750C542CB92F77EB3F6814,SHA256=5B59BD3B5DBD1D8D9F1BB801AD902A98F43D2EEE14A814C7EB2AA50D7C9FBF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.158{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_local_group_reco.yml.tmpMD5=013DBA5B9D5ADEF35D0DB190DA391611,SHA256=F211E80E0788896C4D8DE078A251E6A5A4AEA4873464BC6E16A11D806420E9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.154{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_shadowcopy_deletion.yml.tmpMD5=304CB57D8198B32CB2CDD97FB6FF4CCE,SHA256=4D4638C02FA50B08959DAB7CBBA7102E919ABD2E5CA41AE594A255980500327E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.152{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_shellintel_malicious_commandlets.yml.tmpMD5=149C7D4099DF2566639AAA1E5361CE2B,SHA256=C7D413031B2AA4CE0A6007594CD407FFC30186CD290322A97CB4516225292E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.151{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_iofilestream.yml.tmpMD5=C54585199EB99DCF49962AD888D3A268,SHA256=8E59975A0B2D4330DFDF2A237A5F1D3F0710CA1B8464E82E22E5E25E06C6D9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.149{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_wmimplant.yml.tmpMD5=E0CAFE70A00ACF2BA2C104D468AE6CA1,SHA256=B40C1F510183DF12D2838FC172F40B8F29786C2BC28C506505C14FA4987E842F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.148{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_current_user.yml.tmpMD5=42ABD34A31D68E0B1658E2D9BCCE6C08,SHA256=1C7E42BD6E1B74A1A6BC9DD3C26A5950977979023F978458CB9061040C13208C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.146{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_set_policies_to_unsecure_level.yml.tmpMD5=B8F1E031CE73979057A2F3CD995BFDD8,SHA256=323CCFC329CA099DC1E1EBAEF4DCF1747839AE7E2D5D5EF27CA60FE705A2CFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.145{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_wmi_persistence.yml.tmpMD5=C08BE1FB2184974DDA730417AB244627,SHA256=9057999B26F8A19AC20F00F65424069982D2A76AF030D8FF1352AE80134ABD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.143{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_directoryservices_accountmanagement.yml.tmpMD5=058B929A2830D81CB37B7F20615D50A9,SHA256=4E371B84513C4ADB2791F2454853FEC506EFF4A9703D4D7C8AE6FACD4BB39E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.141{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_export_pfxcertificate.yml.tmpMD5=993CC590B9A565099CA950A2A2C6BDC7,SHA256=2CC38118E99231B456ECB09AE0D3BB5BDED6773290A53C0E19CCA44ACAA53238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.139{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_mutexverifiers_lolscript.yml.tmpMD5=3F15C1C8FDD3EFE487B4C030F24B3FFD,SHA256=DD2FCF318264C0D5A4E4B023A1EFFBA81C96C9D82ADB325C4DDEE913D8071591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.138{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_nightmare.yml.tmpMD5=CF400AE250886309D7238ABAABB609AA,SHA256=8094403B33078BFA870DC6F04A32618D8F27EFEC62F6BE37D714760C05E5CC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.135{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_directorysearcher.yml.tmpMD5=8CB1B2E62B840515CB40E45D8DB24B15,SHA256=AA98846BF56ED6D069DCDCA717CEDA6DC097D58B91AC46347C53539A0BA5BE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.133{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invoke_webrequest_useragent.yml.tmpMD5=7E97C169191DEBB90C2E0998FF489144,SHA256=DD9FF0894C263F28F9EB3268009211A1315ED72BEE2C207A145CCCC36902F4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.132{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_stdin.yml.tmpMD5=A11B41EC2851BC7743993295FE3DA245,SHA256=651B063AA9D7D03AD436F885BBF3FB6EF3CC5346BD041FEF852C9535DD299314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.130{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_add_dnsclient_rule.yml.tmpMD5=DBDFBD09871A8231C7B61D61D1437BF1,SHA256=A29760B5DBE97005664AFE97B448036C9A53EE6CD63AF39806985EAA860E87F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.128{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_acl_service.yml.tmpMD5=08A7902A8A6AFA4403E5BE8612B19471,SHA256=A7A159422EADC7539A98E8E44F1A4F3B98AF46FF2E2CAE244562400B9642C6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.126{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_office_comobject_registerxll.yml.tmpMD5=93C162F4590DBD1D37ACC419A66E1136,SHA256=95C64E8FBC438CB08A26ED6872E2279A2CFC0BB9C31F687E7DF6B63C53261C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.124{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_root_certificate_installed.yml.tmpMD5=1A9D91A041987830DDB7B3CBE9F1FAF6,SHA256=DA33B9EA0CE1E2F00060ECA556BE6A7302CE89CB6EAD414F3E0085D2780AD6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.121{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enable_windowsoptionalfeature.yml.tmpMD5=0C7B0A3C4F27CE56BDAA548DCD42AD16,SHA256=EFE135473255B6782AD086776AAFC999C5B7173BA4AFCCF993235B394C2B87E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.119{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_hotfix_enum.yml.tmpMD5=9CC77B6990644BE2011412AC15888FF7,SHA256=E343D3808AECEB44D481C4DE798ED36354A6B166CCD037BE17200318462C831C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.117{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_winlogon_helper_dll.yml.tmpMD5=B1DA59BBFE87E3B7CE59027C2BA6061C,SHA256=734B10555EA4E0206FDE2790E8748E5820B8A6F780EB581EF136AABE2294FAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.113{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_create_local_user.yml.tmpMD5=B5EAFD6E68108F7DD037FCD0716EE6C4,SHA256=B61571C67812EE5F933F4335374C3E0190C2D036DEA862246DC3B66327E789E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.106{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_clear_powershell_history.yml.tmpMD5=5D5D2A0840B064ACC0A3E836794FBCD5,SHA256=886B956B404EE7F6C2A3A55DD9B0CC2C50922257F5B5E3E4A721D98AFB43038E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.103{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_download.yml.tmpMD5=3F4662992AD423862CC2849705CB0A2A,SHA256=52BD16345B8E59A1E9781266C65AC582D3C4F67EE515120977C6A0554D4119B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.101{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_gwmi.yml.tmpMD5=0D6C311F255578B2F2B752760918854F,SHA256=A6B28EECD6CE65A966FB607B321A72EF4B32C0A2E092CD9A502A2AE7D59E6102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.099{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_pnpentity.yml.tmpMD5=79431F018AFBB5390ACBCE1DC1236C34,SHA256=378220B249E7AC096F0EF99DFE1CA792737DDF3714A059D7D5CFE0DE4DE6B06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.092{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_event_subscription.yml.tmpMD5=AA5BA88B460FEBDA429609D694D837D6,SHA256=1603FF6C5DCDE00A7A7B98561E77DA3A4D962A4F014FFF3B5622C89E805362E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.075{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_susp_scripting.yml.tmpMD5=A19DD19B74E56FC0ACC5CF6422C1B1B1,SHA256=83E2FA3340912488E0E32E03018B1195E6FF12594692AAABF17C32A0A4BF2C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.073{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_susp_encoded_scripts.yml.tmpMD5=A16C420B852D8E95AEE38BA484A17DCB,SHA256=EE3219C836FF215658FDB15416AB510EFE42D19CBFA5AD0B7E441E10620D2309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.071{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\taskscheduler\orig--win_rare_schtask_creation.yml.tmpMD5=AFB4625ABF693C45AA5A373E7E37EC1C,SHA256=F3ABA605EC10ABD77F61A64E3CDD7895B9145826D7912A2C5434D46A18F99EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.070{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_tamper_protection_trigger.yml.tmpMD5=8F60370B9226D72ECC1E6FC4BD3D0121,SHA256=52D88B74E537BCDEA67C84EC304114649384E75B68E10E2D0CBA2FDA57D299BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.068{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_exclusions.yml.tmpMD5=ED4F58927FEBDC38C66617C5D8C808C7,SHA256=A2A4D4A3F25F7DF5354E81E3450C87059628EC34307D673E36A3830E4085F350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.066{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_alert_lsass_access.yml.tmpMD5=64D9307AC1044D802B6267BC9AC0AE72,SHA256=96AE6AC99F74057D0B678ADCF58534BCA5C7A933F01B9869DB47E2D0C7AB68D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.064{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_exploit_guard_tamper.yml.tmpMD5=94FB98661A62D5FAB183A78C8C81714B,SHA256=2FCBD9720392E1E68B5E1A17271B6DA088740C275600D43554556D12B96FD778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.060{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_psexec_wmi_asr.yml.tmpMD5=D51C68F4DA0365B9830EACDEC287A41F,SHA256=FFA8928F624A67BA5C4ED7B8537603BF0B483714B91B12CF31A6F4FAB022E11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.058{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_threat.yml.tmpMD5=07117DD80C958889D553B5E10AA34A2A,SHA256=FD1FB34548A2F89AA80F851FB4BD992EBC1F924308CFAB3FC0B71A909114996C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.057{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_history_delete.yml.tmpMD5=9C2498BF2035DEAFA9F149B46B94D327,SHA256=82A06175174C6E777C7FCDEFE7218333B9DE960E428413985E92ECF342CFFA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.052{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_disabled.yml.tmpMD5=3D5B6326A1A2F1BACCFA006EF6BA6BD0,SHA256=95E8E1D68D8D6D795B3D73B3F9734CD962372F527022A966A8757F69A9CC08D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.050{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_amsi_trigger.yml.tmpMD5=017F2271194DE586F17FFA63629A769B,SHA256=2D2A3EC73DBE8B6FA2EACE5E613AC673B818A04A14006678C861CB172561EC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.046{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_domain.yml.tmpMD5=712D296F44783D1F36CBB5B80F371F6C,SHA256=DF32B3643EAE990CC7EFF80710660E190C91D21E74A5CD211B83B59F2F44E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.043{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_powershell_job.yml.tmpMD5=106D77CC81F2712E0D93739F0AB33C58,SHA256=F901092C070C2932F81D4224FBE96C6C7F3C3C29AB3DF7F8F76A271A56D7E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.041{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_local_file.yml.tmpMD5=21A342732B10AFFF514B1E019E3CCD29,SHA256=3E693E85ABD59DAA6B31FDC1C85FB222F29B52001914182B2E6CF154019F95A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.039{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_use_bitsadmin.yml.tmpMD5=C3E0613DE3DCEEE06760F7ECD60A5983,SHA256=0AF087C7648A8D2DE2C54C94B0C86D5BB54FD66EEC024AD8B0E93053141C6463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.037{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_uncommon_domain.yml.tmpMD5=7A36BEFF3D7369B7458F6DFA51ACAA61,SHA256=D414F3864D165E33403C3DD27A8540C3C62BE5256781B79D7598ECC393BFAC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.035{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_local_folder.yml.tmpMD5=08E1981C9E88E07F8659CE13CFCAF060,SHA256=0C5CEDEFC4A3364EC981F2B6B2339AA72823A5C256E6A85C9CB433B7A42BAB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.034{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\orig--win_susp_failed_hidden_share_mount.yml.tmpMD5=1B008DDBED3C09FD3EAFEF16D8DB2BE4,SHA256=800B14EABF9DB9081A6A2781D0FE269116C614735A1ED8D8B6BC059418D63275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.032{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\orig--win_susp_failed_guest_logon.yml.tmpMD5=483AFF18ABBC033B44907E8AF45154CE,SHA256=802A92D4372922255C6FE4781A14308A769C75B0CDFE0064D125B70ECF815BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.031{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\servicebus\orig--win_hybridconnectionmgr_svc_running.yml.tmpMD5=73532C224551B053C6E150DD17637876,SHA256=D503ACD922E3301F90C67B6C7EB976E361F3952CBEB373316B843D388E87512B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.029{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\driverframeworks\orig--win_usb_device_plugged.yml.tmpMD5=52EEB75C7253652F4B6255A7B37C7D0B,SHA256=BF18DEC02BF58490D4D16B8F6378FAABC47F64DCC9811B3178BB65F217DAC344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.027{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\applocker\orig--win_applocker_file_was_not_allowed_to_run.yml.tmpMD5=2B464384E79C032C18131B7ABDBB6F82,SHA256=0DEF571CA51A120E72AF646796FBA93A4F433F0A1DBF62BBFBBAFC40E02825F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.026{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_audit_cve.yml.tmpMD5=F93491554F3A2BC97C8814717E2CE24E,SHA256=E1E5BD1F2D6CB3A4EE12A76A84ABBA38CBF8965F3F417051716A4BDF73D2DF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.024{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_builtin_remove_application.yml.tmpMD5=0E04B4039B0B5DED00F985460102EC6E,SHA256=68FD6D25810C5951F45A060AB4A62D26B4FFFB7CEAD2BF56C0DB3DCDD95E1F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.020{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_susp_msmpeng_crash.yml.tmpMD5=ECA39D06E98E5D0BE66FB03575ACC544,SHA256=C75503B92B530079FE8988395F99318D61114D10D285BFE9BD819333AE74ECAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.016{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_esent_ntdsutil_abuse.yml.tmpMD5=6F41977F5BB6FCF7080583C5F5BC663E,SHA256=7DFBE585772FFA2F255233FFCB4EF2F573B9E700790F62A804569FB97C99F15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.015{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_sp_maggie.yml.tmpMD5=32677971AA222C9F64AAABC1EDAB058B,SHA256=F00558CB2EF1A648806DD69BA0F4E6A20FB34AC1B3B43AECCCBAD78B026ADDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.014{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_add_sysadmin_account.yml.tmpMD5=7F36619BDD98A5D72E41356DFCB68900,SHA256=0C5E951142A7E85D9D7F53DE2FF0BE69E541006FFF90B904E9C6F7390EACE553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.012{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_xp_cmdshell_audit_log.yml.tmpMD5=62440DDA092C70B35B1C5B52584A160F,SHA256=671E0E40D0ECA906383A1C1206CB1B09C2163D655AB2F27EAA28564EE1FC5B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.010{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_av_relevant_match.yml.tmpMD5=6F0BCFA7B1BB550173F71CFF17875ECC,SHA256=4F9515BB2A7C63F33F2B9B06F85C5FE9A97580C836C9F86B49F6274CDEE010A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.008{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_disable_audit_settings.yml.tmpMD5=6BDA3680A89B331E973B114C2B515B05,SHA256=1150E69653854168763C7AD4225DDDBFAF7BB4A5CAC44DC8F212AC0227A6BC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.003{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_software_atera_rmm_agent_install.yml.tmpMD5=2B20EEE78B316A713ADF5148707E9DC9,SHA256=4C9AE410B38E42A87BB4E4B586467B5DD23F82EC6997203D6BE032C95C53AD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:56.001{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_sp_procoption_set.yml.tmpMD5=E2CE3B6361D08BEF8BA82BC1DFD5AA77,SHA256=389EFA2E2C7EF7CCC0D779B0D3868537D5791781CECB9276EB810E31368EB966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.627{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-001MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000518052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:55.505{5C0BDE06-1A79-634D-1800-000000008502}1756WIN-HOST-CTUS-A9701-C:\Windows\System32\spoolsv.exe 10341000x8000000000000000518051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.134{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.134{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.132{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.124{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.124{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.122{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.057{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.057{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.049{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.056{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.049{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.049{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.045{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.045{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.045{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.044{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.044{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:57.044{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000750954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.983{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.946{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.911{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.873{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.837{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.797{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.748{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9800-000000008502}4760C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9500-000000008502}4492C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.742{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.740{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.737{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.735{A78D3DEB-1AF5-634D-9E00-000000008502}54845488C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000750824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.732{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000750818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.693{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000750817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.574{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe1.0.7Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=49DECA39E47E2CE4763AE97A807DD163,SHA256=3E6E4FB3B2A2C093D0C235736A7C31CD7EBE3EF9D15BE0602FC8CBBCAF0DA3D0,IMPHASH=6E0C98C468B7CCA0B81F6A50A530DE09{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000750816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A89-634D-2C00-000000008502}26642032C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000750815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A89-634D-2C00-000000008502}26642032C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000750814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.631{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000750810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.557{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_pingback_backdoor.yml.tmpMD5=0494DD162416A9A97D19F96ABC643100,SHA256=7CC5FFA246B7FF0409D51D1F0DFCFA45CAA5024D1819DCFCDC46097745633B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.554{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml.tmpMD5=9A22901D14DDF13B8AF446E6DADB2E6A,SHA256=E193FCB0838BB1D44D031665AF789A00E667578595E027F8D6F7EE9EA91F0127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.553{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_access_susp_teams.yml.tmpMD5=0CA6BFA812C425A2FA26D17658AF1FDC,SHA256=9A8DBF1055416BB4AB7C3DE94E20EC26342823299E11DC1DA4BCCFB40AC088CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.551{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_exploit_cve_2021_1675_printspooler_security.yml.tmpMD5=5C44A035004D60F8F8443CC6539E9B7E,SHA256=1F36BEB0B232C7327F0533E2B11E29E7737D421750932E2C8BDE46EAFEE0DA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.549{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source_ntlm2.yml.tmpMD5=00F52D8E03E48952638B0DE8E13D7215,SHA256=494416C15FAAEE1E2FB4C1ED3894F5DF7A2153EFC16374CDC61335B79813C336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.549{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_petitpotam_susp_tgt_request.yml.tmpMD5=AF60FFA881C11DC516C39BB5AE665EBD,SHA256=E527977043086636093EDBE1D159743F88F056F43C5CC12DC74307E710A785B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.548{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_ntds_exfil_tools.yml.tmpMD5=995909F66D8D0ACAD044E16FAE79CE48,SHA256=5FB3141641D342EA32AA09937D06BB9D1FFF4ABA52FF8715C905FF3945103B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.544{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_hybridconnectionmgr_svc_installation.yml.tmpMD5=20C924512124781F86F282341DE5B900,SHA256=27069DD534EB0D905571AEE05A956EC92810438B5E9B7DAA81B14CDB7BD4082A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.542{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_gpo_scheduledtasks.yml.tmpMD5=55576B410F2606225B779553A9165D31,SHA256=A01192845803781A3A50E6CD7CF792A4B02F94F13F0140D5C2FCBEF614F44216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.541{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_exchange_webshell_drop.yml.tmpMD5=F77C4C654E7874D10A5038DC47BF4DEE,SHA256=D0360A2F0E391E4DF291E6DAD8A289E6F219D5A32993CDB2BD6FF03B2B1C84BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.539{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_delete_appli_log.yml.tmpMD5=629E2A86AF2EF314DB5021EC0C3B0526,SHA256=026F99BA3DF3284F1941463986D8CD360EDB403049826A5A2223DBCD8FFB9C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.537{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_outbound_kerberos_connection.yml.tmpMD5=89FB664B74C058C8ED091B01CF50B321,SHA256=B8E1E6FD40BADEFCA99FF3E6AAEA0A90EF4B66D01E13BB8E026EEAF09A059CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.535{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_wmp.yml.tmpMD5=FA70ABB971255936059F51DB4552EB70,SHA256=3CE9F2D0C764CAF34B890E70BEF60A34DF3E0B39590F531BF3939707F4C109C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.533{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_svcctl_remote_service.yml.tmpMD5=013D1554E5A45016C665CEA4DCF4EC01,SHA256=F136FCA0EA3BA2C0E667D4E2FB873E75920B88051DC3A183C4BF84327E596C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.532{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_rottenpotato.yml.tmpMD5=108059647DA5605035D5A5936431DCBF,SHA256=8CA350972D80296D1EBBFEDC6D3662586DAABE9BA9789F82BCD4BC89FBF4A88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.531{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_samaccountname_spoofing_cve_2021_42287.yml.tmpMD5=8E3691C67E404B17ED60C34BD9CB8EFF,SHA256=CF971A77EDF2BB1705B12087E531F99C895F9D2B60A1E2F6AC7FD902ED48188C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.529{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_outlook_newform.yml.tmpMD5=E6E03C2D9829DC0DD393B9F3E22EB790,SHA256=B7E148BFDB6B1195452195FA35CBD71689FE2615A1CA62FB7D18157FC4846224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.527{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_stdin_services.yml.tmpMD5=F942D349AFBEE784BFA7F65832B03C92,SHA256=CA98B0A6BADF395678A2BAEEB067073F970449629C498726B1FD1E77D7A562C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.525{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_legitimate_app_dropping_archive.yml.tmpMD5=B2E13C4E0126069BDB41086319BD7DDA,SHA256=329CBE22A28432A5A40E89E9C4F78E6121A8B05CDCA29E2B59000D7430C2D242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.523{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_use_mshta_services.yml.tmpMD5=D6D0A549531F03D5A136C583E8F5E976,SHA256=BD7588FEBE7E3B237F9A504A221CE6D7763286B3523C30D932999B5246D3726F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.521{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_service_installation_folder_pattern.yml.tmpMD5=03833FE15C3C3A848373405AEEBB3551,SHA256=BE2006FEB87F25D13C6E5BD4AAD2D4858C0E2A9E8F77DAE7F0289B134BCF01F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.521{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_pfx_file_creation.yml.tmpMD5=955A3DC838575D7D70D2FC7D4BB6FD20,SHA256=32CA591522E9922863046DB11CBBCCEF1EE0EFC0685F6F63C5A807453F832916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.519{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_word_template_creation.yml.tmpMD5=0563268526B2011448DEF4C819F50395,SHA256=E816EB3560BB4324A432103DC21E14D17346B5328734C3A8064BC567F4A38CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.518{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_camera_microphone_access.yml.tmpMD5=235AB6C2E74D6FA56C5CC155FB2F4B7C,SHA256=3AE0F1F848BEFB85DC25146926C469DE8E694592E22E40B3CD17215558CAF6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.514{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_hidden_user_creation.yml.tmpMD5=8B9773A6DB93E88AC9D402972460D96F,SHA256=0623CC7D9F232B9531B2094DCC3AAD96709E6A70F9DFA575B715794A66FE0E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.513{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_new_files_in_uncommon_appdata_folder.yml.tmpMD5=FB1E0373C0E9F5E9C9BFCF0988F6A902,SHA256=0C60EB0D35E44E26A07514ED1400E5670FE73B481F97BFAB94A478CD1EEE585E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.512{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_advanced_ip_scanner.yml.tmpMD5=728DA01958DBEF54343737645655B084,SHA256=B786291676A6814316F006294C3F493909A8572BF717D5EABBB67BB8FE500E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.510{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_apt_turla_service_png.yml.tmpMD5=D69E7BFA8FDE429A3077089EBB956637,SHA256=2EEC419236098BC2FEC1583DE0ABA15F12401C3B339E8D3D1327A9CD0FB8A2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.509{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_user_driver_loaded.yml.tmpMD5=76B51C41D56BBF650BDFDF50FADE53E5,SHA256=5285C8EFFE9382EFCB1EB39141F3753A72A1951234E352D1C17D3E3C84305D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.506{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_default_gpo_dir_write.yml.tmpMD5=ADECF5241B5E5B9402AE70452CD469AF,SHA256=06C0E6075A3425C7F6828627064C7FB44531470E3BABB49B52E2E523C7080EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.504{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_bloodhound_collection.yml.tmpMD5=CC4A20802CF604E2E819D8D5B4AFF7CD,SHA256=37C0AF1E0DE9ABE48CF20D3D3EA2F119A6DF0DC54D931168DE4EE9C4D2B0B67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.503{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_double_extension.yml.tmpMD5=F750859A6BE0CF1ED36063948C264AE3,SHA256=BF06ED50265B1FF67E80158AED9FF05C800EC9EFDA21BBC95BE2223CCFA90DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.501{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml.tmpMD5=3D5C48C211900484B37E91C95E51BEF7,SHA256=4AFEA04D0D4A473AECA58CF7425434F0CB5C1DBDAF813D1F29A46639FC5EE9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.501{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_hack_dumpert.yml.tmpMD5=706087453282F4224465B7D0A450EBBD,SHA256=6C07AB55D7179D58CF461B474FE2CC9140F38618A369BBE34101FBCBF59B5297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.498{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_msdt_autorun.yml.tmpMD5=71CAF36A222D7B1A3758291A5CB31F41,SHA256=01308E8ED168ED7D90B37FC3091932F436DCA8D1CBE7C431EC8F1732BED2671F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.495{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_var_services.yml.tmpMD5=16CE49D1D595E245DE06865AEEF8BE9B,SHA256=4E49CFBA92F313B52F0B297375B049C638470B44D2607498187A652C1BD08ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.494{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_hack_smbexec.yml.tmpMD5=32182AE16FFB0F3C2B011D14F89569BB,SHA256=31D236232174824E7942CB83EF47E3EC22B8949CAEA871DA1E0801161F26B913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.493{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_vscode_powershell_profile.yml.tmpMD5=95C37B220CBF122D49B345D4D00F8F1D,SHA256=81848B5373B82F88A62B965C64CD90A4E173A83B74E87728D22EA2655EB382AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.492{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_apt_chafer_mar18_security.yml.tmpMD5=5958728230D0A59618CEB45C86CD73D7,SHA256=2CAA68FECA6D4A28F79ABCC2D2A0020090C87EEAF79FB0DC0D6B75E68C83B256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.490{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_iso_file_mount.yml.tmpMD5=A15BAD8AA09BD9D1A1ABB41BC97D1651,SHA256=98FBCACF7E3F1472F070E07A0217A962BC758184FBD3A559AEE6B8F41743767B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.489{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml.tmpMD5=D9FB272E39FA3BAF7F825CE0E42AEF61,SHA256=69B943774DAC59B8B9D1E8652223F353E483132C0F380D9A2E12C15C8EB7AF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.488{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_overpass_the_hash.yml.tmpMD5=32D15932AD0C8E708BD599C6B7F8C399,SHA256=4B85E0A89210FDFBD223C7B2B0551175B30CF513E58AA5DDF9D241FD8F4AACC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.486{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_system_update_error.yml.tmpMD5=78796286C58097FB7F0840908368AC42,SHA256=694B3D301B7F30325B5E2C4B31988C41BCC68A27DDC37A545ADEE3E5DA3641C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.484{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_scrcons_remote_wmi_scripteventconsumer.yml.tmpMD5=F32AC9557AF9E2CBF208CFD77B631073,SHA256=5FB124499C8E77361C73BBB48A5BA65473D72C50BE50811AE17E8D8987C52A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.483{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_office_persistence.yml.tmpMD5=54F13DE002A81B3C17BD7CA8D220A0AA,SHA256=05B936A139E314C0AA7DB4D7C67FA450BCA134B2221012A165F0AA5BF962AD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.481{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_csharp_compile_artefact.yml.tmpMD5=12776429AAFA38CD28B15F0860D59951,SHA256=4B475B2A3B9F0F46A7BB5E644B018B6AD4A31305C4884D04F47D31DAA734EED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.480{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_sam_dump.yml.tmpMD5=39108637AF59025481101E989818FAA3,SHA256=999FADB5E03866E07FF4E63B5A2755F62158A69D43C49983710DEF9D685C4B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.478{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_possible_zerologon_exploitation_using_wellknown_tools.yml.tmpMD5=618B9E9AE097B7042EFEFC3392A48A46,SHA256=18C634CAEC96DCDCAFD924905BC3D13CC83D64A022F1D5F8D448750BDFC910F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.477{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_alert_enable_weak_encryption.yml.tmpMD5=915B0CC1A72547E803DAAAE126F7BD4B,SHA256=83AFDC0517DE76804869A525CE0F02990BDA88564C97E374BFF439D39A354103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.475{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_win_cscript_wscript_dropper.yml.tmpMD5=4F9D574EB474A4D8B151572BF526E16E,SHA256=15B5D814A103A70FA3CAB6708C5F0D7882A25B13C5EC11FDDCDE19C89863C0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.474{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_winsat.yml.tmpMD5=17C6E56387594AA1C05D8CD6CFB8C493,SHA256=3305ED06FDA5D61441C432C148BBD27F1912911AD361D952A4919650EDAFC119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.472{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_installation_by_unusal_client.yml.tmpMD5=1048EFF09B627C3EBA82A43413723599,SHA256=CCA99B3CD70FF78858857F72DAF09BA7217851831F716454BA38281C30ED5996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.471{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_use_clip_services_security.yml.tmpMD5=239E584046FFE2F12E3FE01E5E43C493,SHA256=E34DEC37FDE477B8B85E55EB8A6D0981530588E09D4207DE72ABFEA36F573F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.468{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_redmimicry_winnti_filedrop.yml.tmpMD5=C6B9F6B0D5C0589994C843000FEEC08E,SHA256=B3AD7E64136D9F59B20F980F39BE2515F9A80990DD42B0AEFD813265BF392097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.465{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_clip_services.yml.tmpMD5=F5870F47AD9E5E4AEAC6B7778B2C0E25,SHA256=AC4C1D0CCC5F126D476CD6C81BE0E3FE97DAFBBB241D0D37806974ACFD189D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.463{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_detect_powerup_dllhijacking.yml.tmpMD5=BBF2E8A4F78B0BCAFF456EBD31A04B2F,SHA256=1766D9941F43E0081578B33776F4BF866E318BF04663F0454FE9741F41B56A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.462{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_alert_ad_user_backdoors.yml.tmpMD5=EB3FCA2DA1CB4C0A53236B8C26E33FB1,SHA256=F362375FC15B2EFA4DF197A64403C1B8C99BAF10CDBFC0F5AADE062492F434A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.459{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_vul_cve_2021_42278_or_cve_2021_42287.yml.tmpMD5=936200BC612477AF0745F8D856BC12E1,SHA256=67D2D05942517308E8E0E7DED3F4D8B03D7797FA641BA35D50A04483F7DAAA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.457{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_process.yml.tmpMD5=DDF610175F4697AE604799FFD84C999E,SHA256=84219C862FE0BF5D7041C0A9DD8A28E75E818AECA732450C98FC3B1696BD9332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.454{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_lsass_dump.yml.tmpMD5=C5616B6404F466F341BDE620F6CCC99D,SHA256=DFDC4FC6D36235CA2291E919FBFE932573024F2B9E10D5752F5A73792C189009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.453{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_dcsync.yml.tmpMD5=22C196C55D0CE1D28E8E36C8C1617D49,SHA256=C2393637592CCEDD03D5BB49F91E03E1F75F1E8111C9151A39A5FFBE4F93D6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.452{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_var_services_security.yml.tmpMD5=EF1272761278BA695C8D9064CE018562,SHA256=69E077DE045A98D1DAE0538F955118C0D79FE1C0F5E935FA6F175F1DD7606A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.449{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=BD61791449843A361635FE73B7FAD3E5,SHA256=BD55C43E53B2C8DCD7D56BDD8E925BA95A405687D3CCCDCC50F3C46DB1612DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.448{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_disable_event_logging.yml.tmpMD5=C11F208B92E5071C286158D0C030FC33,SHA256=679B36C970287AD7E88670DA6BEED4CAE0D16359086EEAF723E5ED1ECECBB3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.447{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_moriya_rootkit.yml.tmpMD5=9A0B8CE506DC2B747360607DA2D657CB,SHA256=EBF817CF0FB5181681B20EDF71D465AF34E733EDA5E6340F3317D0B0DE737B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.445{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source_ntlm.yml.tmpMD5=8ECEDCF33B82C8D881DE0849E4249A9B,SHA256=0DF6A827C3DB079089AB0324E0CA417E6569C850E293445BAD3CD780D0484E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.442{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_install_teamviewer_desktop.yml.tmpMD5=D249E618C35766BD69C0890DC61735E3,SHA256=0C9EC94B43ECC4233768BC17586225D55D9C02B85530BD0899F351B34FC775C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.440{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_win_shell_write_susp_files_extensions.yml.tmpMD5=38357BE45D05433A38F63EDC4B760ED8,SHA256=200405F364B927E1C7A521AA0AC4C64E7A726560E0700770C4C8304F382B20E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.437{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_vul_cve_2020_1472.yml.tmpMD5=CB00262E66574C12B4F259F359BDD125,SHA256=54E047F01854F54DFC3618C56BE65E3C58C13C2D7D776EDE86EA9C83A9D0ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.430{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_kerberos_manipulation.yml.tmpMD5=5DE1408D1F52339D0C93B334148D97FC,SHA256=34F0F66AE1D12F95277E0C5D559359BC06102681CCF50AAFF82D7865B6F08597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.428{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_net_ntlm_downgrade.yml.tmpMD5=D2E967326EB2CCA178DD14406B55073B,SHA256=587EDCF5136BF989E66917FA1688B3425490FC2579596E391D56137CD61D8F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.426{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_impacket_psexec.yml.tmpMD5=41BBD01F2D5D8F53FFBCE1DB4C9D6E31,SHA256=A025B5E3CA00C815C54D719125E59F204E8664096E385143CB7FECB26602F980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.424{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_iso_mount.yml.tmpMD5=169B6734860C263C87286ADF501EB113,SHA256=7909CAF0674A50A32B7D1D854421D5562E9EE78576F0CA3276853DD5ECDC5845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.422{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_rclone_exec_file.yml.tmpMD5=76F76A25E4D0E69F998929E8689BE6B9,SHA256=5F14B1B33F275ACAA8A2DB2021BF276111317F15F51BEFC9A24952B134E4CC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.420{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_admin_rdp_login.yml.tmpMD5=1A5EFDB442E57E1D188EF7AEE56E8E2D,SHA256=39CEC2A2B31E174728FD519683CFB8E0CFF49ACAF731B4A6E714FD934D7D1187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.419{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_powershell_profile.yml.tmpMD5=350AE7A0225AD2345A6BF5A58E155A2C,SHA256=1258C6334DDD7BA24DC58408276170BFC4F7E2D0255C85C13FC8EF7E7014ED32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.416{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_scm_database_handle_failure.yml.tmpMD5=1B47C83F55DA7BB88305387BDB00A671,SHA256=3DA4C8EC68A4A523F956CA42E1C2F189A8B2BE97C313D02282E4AAE5D6B6F846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.415{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_mal_adwind.yml.tmpMD5=4010D3DCAC393A70CDC0A57D8C0E3E0E,SHA256=893A73A23FDF5CA551F6CB6ADD90FAD88C6BB6F603582C70A563A972A630BFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.413{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_wmiexec_default_filename.yml.tmpMD5=B81034825F76B563D7569F32CFBEB3BB,SHA256=1EF2EF852538102BCB45B325519AA48124E05539795ACB0203D6590132930E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.411{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_cve_2021_1675_printspooler_del.yml.tmpMD5=DF2E5442BA1EA79288CEC3309DE1F0B2,SHA256=CDE788DF4D956CD48F95DF7ABE18FE7D79C59FC7C4A98E328802BA4026E4036E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.407{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2021_44077_poc_default_files.yml.tmpMD5=0033010D9BA573775CA24922E3292373,SHA256=0B9109F2731B3DF74DD50B8A80DCDBB2BB37B04C32FC70497BE13AE02294EEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.404{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_opened_encrypted_zip.yml.tmpMD5=34595F8C006B6ABA1973690C01450745,SHA256=7843067A915B6D23929B65CB0BCAC091D3E1A3684D05AE81BDE17316C94B91D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.402{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_crackmapexec_patterns.yml.tmpMD5=B6982874CCEB9785295A0B232E356515,SHA256=4F80C0ECA2B0EE9409EB878E58587D9170F51D0C9245EE3457617190FD14A7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.401{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_moriya_rootkit.yml.tmpMD5=D50050E94A8ECAC48AB9237A24588FB8,SHA256=5B7A700A1535E032F137A77CC9DE598B3B4B7A610C219EFC8120102F59A975E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.399{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_notepad_plus_plus_persistence.yml.tmpMD5=EAD42288B73947DF25F8595EAE207581,SHA256=79EFD575C7DA9CC169B134A7EB5CDA48167339B8B930346A550B0450E04D6B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.396{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_possible_dc_shadow.yml.tmpMD5=249FFEEA77EA518C183DD8B5A7E64E90,SHA256=C17E57D02A9BB353E2965A34EB2C381C526B86D0C1BD753B5EFF98A292939B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.392{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\apt\orig--apt_silence_downloader_v3.yml.tmpMD5=AF7E9EE05BE0E14EA7BE10E463487F35,SHA256=86F2A1B9CEEBA06B9EF4808AD38810E1217973588FF01672A68F1DADA411CD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.391{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_eventvwr.yml.tmpMD5=3A14AF16F427CD97F239E46B4B795529,SHA256=3D9CE46867A96305A21AA4BA9EFA2919DF106AD4A1155F7E139B982A0AA6F55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.390{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_plink_remote_forward.yml.tmpMD5=ED205EA1BCE5540E801FEAAF3DE39E9C,SHA256=737E075A36432FE90F50F7A9C44E674A7BD375BF1FDE798FEE1BCB30A429D173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.387{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_ghostpack_safetykatz.yml.tmpMD5=8F7670EB5454111B794126D328E39BC1,SHA256=0E7B29FDF1F121DC914582A20141FD6476B3C26293F7151CC1F8F0A10253D7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.385{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_defender_bypass.yml.tmpMD5=938A33B7F33D20D77C90B5DE4577A4C4,SHA256=534564E4AE525A149FDC25A5499D610D053E3FB734C1BB76AD5242EB81AC9B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.384{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_legitimate_app_dropping_script.yml.tmpMD5=D62889FFB9B1E76EA05B850836AF180C,SHA256=B191A601411A2907E08D3024F51A6698AB6B3FB1068736CB4F8BD2C0D0614803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.382{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_desktop_ini.yml.tmpMD5=810B86D94BF5104C327B75C9C98508FE,SHA256=3100D5E4B0B18A4F2717D2473DBE3163BE4A568C764469CE02BCC1A916703AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.381{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_compress_services.yml.tmpMD5=C0C48C10BD3D295614092FC492D5D509,SHA256=D0F48DCA2A5EC0CF6F6217488883A79A7765A8F09EC7F0372698FA996DA8C6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.378{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_consent_comctl32.yml.tmpMD5=39C0F4DA108EEAC0148467F973A75D78,SHA256=EA192C2031B3CE79BC928324DF88A9DDEC28B48B6F447FCDCA4893E88B4142E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.377{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_ad_object_writedac_access.yml.tmpMD5=1805B68E47FBC7DEABBC3D31A07E8F98,SHA256=8AE4AF2E45EE8DC336274CE978642AF998ADDCBD52DFD1FAF547007B6A0CAB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.373{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_startup_folder_persistence.yml.tmpMD5=B7C5A6FFE63835AF5DA1ACD26FC96106,SHA256=913101599E924B41D166B05FEC77799E8249815AA4B066A678BE60D5FCBF1C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.372{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_legitimate_app_dropping_exe.yml.tmpMD5=41173956F88D74DF27EDE4B80C85C2AD,SHA256=30D1FBB2011F9FC18F487EE957F2EDF181209B5C6FAC4C7B98E9BDBB03BB1552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.370{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_iphlpapi_dll_sideloading.yml.tmpMD5=736DEB3088BCF67F5C8AEFCFCC9B3EBC,SHA256=7EB0750E92A93520294E8F588936440F342103304CD726645E48DC4D629407B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.369{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_gotoopener_artefact.yml.tmpMD5=A5440669443D87F1FA871E2BF0D318DB,SHA256=74B99EBB785608654692266401F42ED0DA87BE7FD94FD11C73BE901FC3CA7BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.367{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_change\orig--file_change_win_2022_timestomping.yml.tmpMD5=286087E11F295269DCDA0BA11FE97D30,SHA256=A1644C285A7DF9941C81F448D946392B276525700EE15A6E04378747D76DCF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.365{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_account_discovery.yml.tmpMD5=933A6B3EBF857C774A67EB524EB65718,SHA256=F5EE7EEC918D6CB15C5C6B9C0544AC9F0334537E73E3D7ADAA0D1F22DBB6F19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.365{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_rtcore64_service_install.yml.tmpMD5=69129809656F09EEA165E97D03485FC3,SHA256=0669CC95D3175D7FD42C68C123DACB3B676042B119CD8F687F8956DB4B4E1529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.363{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_register_new_logon_process_by_rubeus.yml.tmpMD5=E72175DB90440D598CE77993678476A7,SHA256=2B2B84EC96EA76AF8A5CC637399ADB545F0DFFD16CBE13F3FFCBFE5801FBAB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.359{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_use_clip_services.yml.tmpMD5=41F1B0A39A52E279BCEE2371F9433FAB,SHA256=E41CB888FB23A0AFA2F9B5465985E818837C6331C4227F8E4B357F74D2584FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.357{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_adcs_certificate_template_configuration_vulnerability.yml.tmpMD5=5D126D8A12EA8E0E272D3CCC4131DF0B,SHA256=8779B493F6FFC378566D787F8F2F5F6D67F5B8B909652A33995FABEC6762E4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.355{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_rdp_potential_cve_2019_0708.yml.tmpMD5=5322BAB7C30109C29BA4FDB440AC54F3,SHA256=12FC4E541928EE776549129F56789C7BACD620A0589771B9219E004BBE456E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.353{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_script_creation_by_office_using_file_ext.yml.tmpMD5=E6A87CBCE9367804B6D019E21D84BA96,SHA256=770A59315F103B34331EC06BBD0C6EBB221B34474243A7886F9B78AF58CF216E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.350{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_syskey_registry_access.yml.tmpMD5=C5911FD7FEEFE1E5038DD8A4506D77C3,SHA256=6D5E5224AFBABEC77E7699F9926BDB0D3796777ADC5CB2D79EF859D347D92C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.347{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_teamviewer_remote_session.yml.tmpMD5=07B5C5BE39D097D78E1714B84057ACDF,SHA256=E92228DDC9501A04607D6B09B694E938F47545546B8B3F29F586B9DE063A0D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.342{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_sdelete.yml.tmpMD5=B81D8970548A7AE09DF525EC1BC8FC2D,SHA256=51982F519D06D78B5CEC149E345339CE6BC71972D5B32E19CA95B7A3249C3B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.340{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_creation_unquoted_service_path.yml.tmpMD5=7CDF9DBD51FFE2DCCA7D86530480C4FF,SHA256=CDACEBD2A1459B2B1277DC3E9037CF209010DDB846B634D8D53611C8BE05FCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.339{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_rare_service_installs.yml.tmpMD5=5BA94D6F052D5FA34CA4FB90947D1FD8,SHA256=07FD4E81390EFBD0A1460A8C4A8DB69BE00EB97F236B404FAA24EF46B968B461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.338{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_cve_2022_24527_lpe.yml.tmpMD5=26567404CBC3DE8C12A9009DB9FA03FE,SHA256=515FEE2D2FCDC32ACFF5A4E86F95570AD16D1AE0CD2740C40835C412B3C285C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.336{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_remote_powershell_session.yml.tmpMD5=B6AE55B187EF5D19691DD5D59260FEED,SHA256=0BA455E755E0CA53A683B90F30BE7E199F2C3B06857CFA0BBE09317FA1AF928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.333{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_adsi_cache_usage.yml.tmpMD5=B45711C4036E8083F9ACCD33493DF332,SHA256=41BE09856C5FEC4F5377C5CCCFDE7E7A3CFD2035E08009D7514DBFAB2C1BF4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.331{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_screenconnect_artefact.yml.tmpMD5=F1C46BFB30DD2114A263A123A0A9893E,SHA256=47F122D0897B0CDF54FE3C11FAA8EF87B11ACC512A3700884879AC23862E6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.329{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source_kerberos2.yml.tmpMD5=7653885120D50B54CD6A43752C48C691,SHA256=79457F918CB6232C3AB6548957F6A3C46900395C84505F76F0ADB6A1A591CF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.328{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_compress_services_security.yml.tmpMD5=771932BA8C6973E527738B8CF7072A35,SHA256=E3DFD5E151020BA8C49B55DB21CD05D47A48256325AA9F08BF0476EF6EDA40FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.326{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_susp_service_installation_script.yml.tmpMD5=294A0E72E01489F52827CDE7F6CD8B67,SHA256=E93BA2F5038CE6C7EF535C12ED17588149050CE79E2ACD40870E92809533D433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.324{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_chrome_remote_debugging.yml.tmpMD5=83B3187E59D8353DFDBB7E2F5C64B83C,SHA256=DEB2C0D79C7D1CF84C0B85378C3D58220F726E39086AD8A74CA3755FB3E52E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.323{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_ntfs_reparse_point.yml.tmpMD5=97982A45818BFCB2ADAF2D9354390AA6,SHA256=02094B91E42CF770352A33BC5AEE357FBC3004530433130E7E137F7DBB73E848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.321{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_new_src_file.yml.tmpMD5=E09714E01489B787CCBDD2A8EBC03971,SHA256=7FFD4E6D3E8D2422FF70DDB03966A63E0F42F2CD4243D1F2A20B204E229AD7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.320{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_net_share_obj_susp_desktop_ini.yml.tmpMD5=F77FFB544806D8CC22ED00CDEA4216CE,SHA256=CA1223636E62B13922315E2FFC23AD990520239A599D91E8B25A2A0FD3323DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.318{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_macro_file.yml.tmpMD5=160E63EFD1A45ACEBC21356E4404424D,SHA256=FFA4061CFEBC656988F70F30C66DAEB570D18061F008B92D9B3FA4D073CE33EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.316{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_apt_carbonpaper_turla.yml.tmpMD5=0396F985F1306B71E5DC3A1FE62D0DC0,SHA256=D5C384691EB7A59DE3A4DB4AFC4F20BFA46525B3E14027F1200EB2B92C82EA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.314{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_opened_encrypted_zip_outlook.yml.tmpMD5=595730B8D3FA97870EB5C6D8AE169AAC,SHA256=05099BA63926043035CDDDD29743423E8AE60BE57E6F6BF670CB5D9B9162C207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.313{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logon_reasons.yml.tmpMD5=6086305B0AECA0E2D081FCE298ECE2E9,SHA256=109FF59A39A530D32FBA2EA5F0ADD4E6A2753E9FC2676A70533143F1A70D6A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.312{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_dce_rpc_smb_spoolss_named_pipe.yml.tmpMD5=2B647473352F67913B8F4923AEFEB425,SHA256=ABC2A3E6A92FC0DE152C46C858BB6373D76194850BB73FD04A1759D559CC415B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.311{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_mal_wceaux_dll.yml.tmpMD5=0E38343B5D8318A71558BB95DB9D2532,SHA256=D56942D825EE6A401200827316C84F6620DF64F8C0C94757D0A57A8DF72DB93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.309{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_desktop_txt.yml.tmpMD5=CFFF03E8BEC73F2FE49E01D7EBCCA5EC,SHA256=3D8329569709C393692D50D2A271F24F1FA13DBDACE5AEB1A7AFE1191C5F938A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.306{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_var_services.yml.tmpMD5=4FBC43CD041AEF0E226631392278D411,SHA256=F3627B1CC446982190E887CCE9A5F9AAD1DD471E13D304D91B90EEB8E023518E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.303{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_admin_share_access.yml.tmpMD5=2F9FE3E820A18AB03348C2962C797D67,SHA256=54649FC370131C9C9E26890F7990D4AC1FD67136B23DEE1B1E7D2CD86262D859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.300{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\apt\orig--apt_silence_eda.yml.tmpMD5=38931E63CEBEA7C6448596BFA7724577,SHA256=A3274351E4BDCE8B5C5B489FC54DD746B688BB2980FE569CF6CC2A3A72D28988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.297{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_transferring_files_with_credential_data_via_network_shares.yml.tmpMD5=81A35E06622D439BDC3A0BC44416AD8A,SHA256=93655B8F0C4E4427F54843DB230C5A6B8B58144785B25D79E37AF320E35A9925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.295{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_external_device.yml.tmpMD5=45766F94B962EAACA4911D32E36BAEF2,SHA256=AC74CF6587413A6F3B852707E4CDE371D990DE07980CA701832F78BBF10174CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.290{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_account_backdoor_dcsync_rights.yml.tmpMD5=561FAB51C989D63467ECFCD8FBAE3322,SHA256=66F7DA2998E8626F42D3E9B56E89AC5B489F26EDD8843089C63436A38220586F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.288{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_logon_newcredentials.yml.tmpMD5=ECD971044533B2F2F499D20C6A63E543,SHA256=5E3F137B3C22F72879DDE4DE3A1EA5B3CB50CD4D29DDD0B3DD70DC259698DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.287{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_desktopimgdownldr_file.yml.tmpMD5=E40FB0DFFC2E53AA67C7B0A8A95F2528,SHA256=967A59291627EE7AE6C6C59495551FA78CA52CB19E1D918035461FF722C7C4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.286{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_ntds_dit.yml.tmpMD5=2E7525116A08B5B9E9B4940C81B426F8,SHA256=68B789A4AC5AD6B4F831EE473D8D96F0474736004E3A9F6DB7496AF06A7A01C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.285{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_single_source2.yml.tmpMD5=EBA9AD1A7695FF9CCAA1F0654794FBD0,SHA256=31094972AD5E491A7F123DABDCD8BDC2074314B6B1B45B3BFD3A65A5E3C706AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.282{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_apt_stonedrill.yml.tmpMD5=A960E73DE5EF2C85891E8CF3CCBF8400,SHA256=CE9A26066CBCA6F1F1BD6B86063C26EEE43B80D66E40BA7B177220238D5AFCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.280{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_failed_logons_explicit_credentials.yml.tmpMD5=1E97B299284D1F414A34E6CA3E9C5874,SHA256=57704AD5B21BF7ED4ABCCDA55023351818985528A766D201BBBC7DF8AF469AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.279{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_quarkspwdump_clearing_hive_access_history.yml.tmpMD5=7724937DEDAE8FB70C766204D4E890E7,SHA256=CDF7BE518E1E1BE1FEEBA6DC7D8ECF8337919C68BCBE7ABEB3FB4C3F60E0BB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.277{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_lsass_memory_dump_file_creation.yml.tmpMD5=B5404DBAE91AA677AB822A2224A29744,SHA256=413C2B39E1DB452396A6067D48DB8AAF1EDA2A04B699AACE05A4D94BDD0E1475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.275{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_delete_backup_file.yml.tmpMD5=572C177434F3C836B8C45601D599AFE5,SHA256=81CABD2941C6AABB6AFCBFF0681240DC16ADCEE300F9176A4F42832B7F6AE299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.273{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_creation_scr_binary_file.yml.tmpMD5=C52EB68DC32B4146CF1DD1BC63B7950A,SHA256=6F8273AFB8E7254910A8365129F38362E5D4836DC5E81DD204DF802E2EF21E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.272{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_rdp_reverse_tunnel.yml.tmpMD5=3AFCDBC451CAE12FBFA8574AEAD1CF26,SHA256=47E50D43E86E75EB7DF2C1C71D5E56C5B77576CF53C57B0ECC66776E2BFF63ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.270{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_rdp_localhost_login.yml.tmpMD5=208BAA11B236B492F07893B86C297505,SHA256=CC85B918090E9D25FB5C41690BFEE9B56F460D2FAA300B860D1F0425EA8B2B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.269{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_lsass_dump_generic.yml.tmpMD5=7A0FF1EE560A8974D8E8A45E84F0F776,SHA256=DCBF9C96F8C843BB9D5A4BB219A8B50CF63F8F131EEB31D21B374458A541B050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.267{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_unusual_deletion_by_dns_exe.yml.tmpMD5=10D20570552869E76835C551858A197B,SHA256=31912ABF6E475303F02F7978B56C1EC4D8285A05618664FC901665D876B80349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.266{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_multiple_files_renamed_or_deleted.yml.tmpMD5=DFEC5901D36E7E4D5DF37B14DF60C310,SHA256=DB8BD8714F9496E4AAB8D5BC09CFE60CAD5C96A6FA9A77A447F71B2D6DC645DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.264{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_delete_prefetch.yml.tmpMD5=E94C7C186F56856EE79D308DFF218010,SHA256=C12F039A20546FD84D707EE988C204C327A0D6E726B5680E4A88B18C02BDD8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.262{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_lm_namedpipe.yml.tmpMD5=B5D4E6EBC45F184A5B7D6FBA77AE554C,SHA256=D9AE6C685A29E633DDC57EFC0387DFAE88B98E78B4B80C9354164FF296BB4963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.261{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_hktl_nppspy.yml.tmpMD5=7312D7C231875A9CC78C7DA0B7D36A32,SHA256=4C3634E68488DE79B9D800D10110D0B07FFF7B6832028CE0053148B6B1447140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.258{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_eventlog_cleared.yml.tmpMD5=4674945A7B0D5A0E112AF3A085D3344E,SHA256=DF148FCA9E83896F1DF87070C742E05CDD3F65C68A4F67E7211A3E5F8016F729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.256{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_invoke_obfuscation_via_use_rundll32_services_security.yml.tmpMD5=3510AB7C82F7AE45B3C5193E3C3A48CE,SHA256=728A42FB7AAC78988B5F635055BC66ED070AF3A9E97AB3E1E194F22BC7F5133C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.255{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_event_log_cleared.yml.tmpMD5=5B5B3213E419D6C127C6DA585147836F,SHA256=2C83572B7B993C9F5B2EB03A4DA437A2BDC52B323BC7DFD34E20F5DD8B49E98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.253{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_pcap_drivers.yml.tmpMD5=7E8AFA028F22FADADA813719A6666445,SHA256=2FCFF116E8A268AD46EE7F286C56AEB9E7C639394E1ED82B06919784F932F557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.253{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_ieinstal.yml.tmpMD5=440F7D8D07AFA3074422A5AA7EEB0578,SHA256=389657DEBA778CCF2B42FFEC183A868073A6F028A7E2F6A0CD4FCC125FDA851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.251{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_hivenightmare_file_exports.yml.tmpMD5=C2DD055432D4A16A2D0A1EFC5B86907E,SHA256=25FBF694039DF76875A36285625BC290F787C3C41DE9E54993A32CAD11E5C87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.249{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_winword_startup.yml.tmpMD5=1B395B82D647E552E02F9931F85163F6,SHA256=2EC2C1E0FD17B0D3EC0B24AD434351E310FAC8BD6423933538B2F63C756A3AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.247{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_cobaltstrike_service_installs.yml.tmpMD5=CD1EDBE29D5427D0C5A99CD3E6F65D1B,SHA256=55D04D021C7715114980DDE4AF1DB4CC85AFC4AF8E26B4DDDD8A5A6EC060C075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.246{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_idiagnostic_profile.yml.tmpMD5=8458DBB1E75E40945DAC63D13A1629BB,SHA256=A1221F80A294AADCDC885898E45F2C3A2FEDE5A715349F5F7EE842E094B104C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.244{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_dotnet_profiler.yml.tmpMD5=A55A31AA9437405F8A999D86C4917D3D,SHA256=7FD4099447FAFD5D70AAC3BD5DE038B3653A56493B6F10940541A3A8F4DBF9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.242{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_mimimaktz_memssp_log_file.yml.tmpMD5=9053C932B23285767BB740B6166F701E,SHA256=8CAA9BED35379DCCE6D348639907B470FF8C288025CE3DCF0A6F318EBB5331A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.239{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_powershell_exploit_scripts.yml.tmpMD5=47BFE1194FB13AB6073F99030F35BCAA,SHA256=E76C7895CCE1E7BAC1EEBE02A69401D8BFBC3D88E4001DBE12856D4D875C9BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.237{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_lsass_werfault_dump.yml.tmpMD5=7B67B9325BA78249F4BB2AEA8A58E99C,SHA256=1249FDF67AB52F34316AAF02582DDF784B0BCCFBD7CD759EBA377500778B74B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.235{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_metasploit_authentication.yml.tmpMD5=B0784F9472A6ED1C9B5DADDFF68FE29E,SHA256=DF42C2FFC1F340FD9E8EFA77A063D9D55079EE6A6D601CD70D0C278A06527487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.233{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_add_sid_history.yml.tmpMD5=410F2D58D4F1BAAAF52C6C79F8EE26DD,SHA256=4245939AB830A43F0A3C2EB52407AF584532C63D4ADC94729DFB1F66AAF5E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.231{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_protected_storage_service_access.yml.tmpMD5=42B146C929D1AD27B9A29780ADFDC733,SHA256=9C12C63B0DEC8E6D27CFD8EA34696FA84A4E84DBA105817A3CDCDEB97CE227F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.229{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_change\orig--file_change_win_unusual_modification_by_dns_exe.yml.tmpMD5=3318CA584A8876F1846263A11291647C,SHA256=A1BB184082EAC51A61F60D375D9DB224988CB3140979E0ED4014209366171EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.226{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_outlook_c2_macro_creation.yml.tmpMD5=435543D494CA3F153AABE7553CBB0BCC,SHA256=629EF956A0240EAE9626468E34E9A7D161C1AAFD01450E4DFE3664EF58B01C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.225{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_rare_schtasks_creations.yml.tmpMD5=4C20F0811AF6A97DD37F81D99EF07167,SHA256=3D62AF86A953F5CC5F4D868C90417761CCCE201B7AFDD62D5C89AF2C82440975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.223{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_pass_the_hash_2.yml.tmpMD5=F60A5D366166E6BA2D6147A9429E766F,SHA256=479504971AC27F004517636106D91EF2486FF8FEB781DC0632AC0C361014D0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.222{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_not_allowed_rdp_access.yml.tmpMD5=0D019A04920FC6C37CFA00EB5A26F183,SHA256=E696D3DB9A247805C49EA2218419D0F3F196B024B3B0D8907B7FC2F39667F718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.220{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_executable_creation.yml.tmpMD5=BDBEB794CA5984D7560C92DD524C7C58,SHA256=A392DF424800E6B00159E63AB9DF29A6A6FA5116BA2BDF3D990EB778B066AD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.219{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_apt_unidentified_nov_18.yml.tmpMD5=21B4E2B340373699D2E8EF9AA9B9570A,SHA256=3BFF47E3B90B85067837E09E441252E8F7899DE00CB05DCC57962433E849B832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.217{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_apt_chafer_mar18_system.yml.tmpMD5=751492138F36220EC9DB0FA3EF05DC88,SHA256=6A18F5B48A6F0BF5E2900D325A8FDC116AB8AA74113B8E34E8E9839F97ACFBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.216{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_etw_modification.yml.tmpMD5=B091CBA00B8AA3685FA8AC2C5B77D6B8,SHA256=97251737C5DF63A45404E70BCEE88B059768A60B2FD661EF41AB5AA1980E7B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.215{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_delete\orig--file_delete_win_webserver_access_logs_deleted.yml.tmpMD5=94A06CDCFD7AC72F04E177AD38314E38,SHA256=CC55A4998C9298D27E86220B931CCC38F0B37518368500921EC1BD503C31EB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.213{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_dpapi_domain_backupkey_extraction.yml.tmpMD5=0A2CE396531C5D4FD782D4A2BC0B7CD2,SHA256=27586CAC47C67F2309EC409FEBC81A639D9F55D0D45680DD41ED86213E64C20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.211{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_user_added_to_local_administrators.yml.tmpMD5=39BA65E33AC50169DC96FB648647FEDE,SHA256=BAB6D753C1C767B500141F7632A144DC177F25322E24C07EACAF41E82D831864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.210{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_lolbas_execution_of_nltest.yml.tmpMD5=9F15F0A25BDD78E9A3F26952EC04057B,SHA256=9E80969016C2B6334B8FABF9AF1439777CA497C93B758EEB17F2113E6A1C2654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.208{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_error_handler_cmd_persistence.yml.tmpMD5=018E4FDF97AE6CF78CE1991C12E65012,SHA256=1565872AE8F909BA434E575687B2DE7FB8AFA740F2BA1288CA73FB2383A1D63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.206{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_service_install_pdqdeploy.yml.tmpMD5=C1C879394C70F1EFEE08D8DB85644348,SHA256=42359DB3E20EED0068E4E6EAD4307643B4A72C4A360997B96445276AE3E6E3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.204{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_anydesk_writing_susp_binaries.yml.tmpMD5=5FD66450C520C5E6D40D7EB5456094D9,SHA256=193D3E6568FDBF4F2B0DB51E15ACD9D6E446B8565996BC1E5B2650B7B923E5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.204{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_via_use_rundll32_services.yml.tmpMD5=B9A74CBB6908D6E1777B751E347873C7,SHA256=AE23586EAC1DBF37C71EE0184C5602700338A9D8EA7773A731010F590B2043EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.202{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_alert_active_directory_user_control.yml.tmpMD5=A0A1D5CA4A48E89A02DC0E51966DBB52,SHA256=F0D878FE480210E62849374AA39A5978B02020FBCA9FDA49EB7AA766B4D5D023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.200{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_service_install_susp_double_ampersand.yml.tmpMD5=E5DB7211DA92D0A8804069D7DF5D039C,SHA256=E7C6FA0DFCB6D60706E160198FFFBC45AA097DEA3AE54D807F1AD2DDEB95F56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.199{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_user_creation.yml.tmpMD5=0B18DC20900B0889C7B15BBBBCD5DD6C,SHA256=54795056842B57E8ECBE78EA33100E1E97CB72D9B8C95F0FE0EE40F6037BA7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.197{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_creation_by_mobsync.yml.tmpMD5=940F7AE5C5EA0561C77BED9268B8E7AA,SHA256=FD4D05D554A01DCAD2C9A695E281D0F751E71B45C3E1CF4214F9EF4B9082BFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.195{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml.tmpMD5=390721B4E8421EEFDD7D4FB7C353238D,SHA256=80ECA74109E0876286A425DACD5AE94623E2BB9B092CA209B11E574B35FFD835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.195{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_teams_suspicious_objectaccess.yml.tmpMD5=64C721B884C11DD427F7373029DB9176,SHA256=AE6BDE22E0F36340C1874E40344F7954B0A7C2AA602456EB9CE846496A21DE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.193{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_invoke_obfuscation_obfuscated_iex_services.yml.tmpMD5=89675ECB4F58BC31EFEBB7CD738E10DB,SHA256=0348B3CBBF2BF6008AC752D04366B4E59E43FB114C53E20FEC224291C94E0170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.192{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_psexec.yml.tmpMD5=044A1439AC2BF4E26E2039DB9722BA54,SHA256=72919B9577FFC00FF3B54D63ECC364ECD965A0891D72C504F7A19B6E941BD5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.190{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_susp_get_variable.yml.tmpMD5=7B5C386173EDFCB3EBD7A8126C3963A5,SHA256=CC7F9612C93E0BD63A7F54D83093628D90AAFEF0E430159DFB738BEF6A340ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.188{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_creation_system_file.yml.tmpMD5=CD0116F2112963754514F0A1D3904A42,SHA256=D96962D5C0656E510DDDBE94C2769D938EE062B944F3BE35C0C8323413A1F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.186{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_tsclient_filewrite_startup.yml.tmpMD5=3861C73B536AC6172ABCDA2B0FBB19A3,SHA256=2B224B635FC4471EAFDEF2015198C1EE3CD8A21F4224927CE502AEDC4752014E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.185{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_mal_vhd_download.yml.tmpMD5=FA928D9CAF63021F7CA12F8E2993C65C,SHA256=1375C93609F31C599A1DB1772FA09EAFB8C74928E4E0F79EE60ECEDFE960CE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.183{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_tool_psexec.yml.tmpMD5=138EB56B1BD8E7D5595B9E71125B8BDE,SHA256=6A6BBABCAF6F80C8D37519A0E98643F376D390AFFB80267A74816E0304542C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.180{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_krbrelayup_service_installation.yml.tmpMD5=7B16AAF699D96817E458BCF94B0B53DF,SHA256=97C5F9C46B2E0726DCA794B919A3456388139B771843A69A4F7D11145D4D90FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.179{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_new_or_renamed_user_account_with_dollar_sign.yml.tmpMD5=91361D37E85C4E6561D96524FF4380A3,SHA256=64C9605A1E67FEBF5B720FB3BA1B4F63F29AA91C7D3A54440B6DFC2DE90D5345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.177{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_event\orig--file_event_win_uac_bypass_msconfig_gui.yml.tmpMD5=6E02B283A7962EA8B7D2AEAB79E0E322,SHA256=079A0F6B5AFC3FF251D357794DA1BA85080FD4A54B0777F565C65274C4FE9C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.175{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_sliver_service_installs.yml.tmpMD5=4BC56842AC72462FFF0C970B4F5EA996,SHA256=A8B29245C664B26FFDF69037985F6FDC857F43C5F90AF0E9DEB7596D0F7A2E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.172{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_aadhealth_svc_agent_regkey_access.yml.tmpMD5=77143A83F35A6BB4A03D2A2240737757,SHA256=8F5D9FBBF761877C9CCC3B8DAB762E684A949282B0C806396F8261CA0EA3614F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.171{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file_access\orig--file_access_win_browser_credential_stealing.yml.tmpMD5=12249A51A5FE9565B7FF5696ADF1AB9A,SHA256=24BCACF7F29CE5E726C6948F0207818CEDDAC847F8EBF36414E20A4EF748F995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.170{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_dsrm_password_change.yml.tmpMD5=6569B520C764A926D6BCD57F644F9BD6,SHA256=4A1E50EDBBE6BFD6EADA11A319AB29EC68B740DA20DA42F0D62A83B41457C563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.166{A78D3DEB-1AE8-634D-9500-000000008502}4492NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_susp_wmi_login.yml.tmpMD5=4D3D31DF4BE1C8BAB4EC8C05ADBD8EF8,SHA256=EB88CCE79C99A0AFA23F142C9CC2D623C4021FB4605BCCA073D3EEE77BF1E2BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000750601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:55.828{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59360- 10341000x8000000000000000518082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.997{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.994{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.994{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.981{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.966{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.948{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.931{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.931{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.931{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.915{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.915{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.915{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.889{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.889{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.888{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.858{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.858{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000518065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.640{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.576{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.553{5C0BDE06-1A77-634D-0A00-000000008502}6401816C:\Windows\system32\services.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.553{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.473{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.458{5C0BDE06-1A77-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.395{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.395{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.395{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.302{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:58.302{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000518054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:56.230{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000750973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.994{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D3A6C1850C7A3C5BD8336E15974FA7,SHA256=19AB89140272CE844465A19AE89E767486CA5BF30D6AB67F3A74917FADFA3579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.993{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9B469CAC728C3DE7F8B57B8DAA575019,SHA256=37B1729BD7BC01BBD93D372C46C635E775946C71CD4F66E36AC587AA68C6F095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000750971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.992{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AEDD01DCF025CEBEBE9E3BC13EC4597,SHA256=20183D342C2D331E9FC2D1407EFE9F3ECA8E48B0222575DB051B0CE17F0CA8AC,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000750970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:58.278{A78D3DEB-1AF5-634D-9E00-000000008502}5484\aurora-agent-pprofC:\Program Files\Aurora-Agent\aurora-agent.exe 17141700x8000000000000000750969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:05:58.278{A78D3DEB-1AF5-634D-9E00-000000008502}5484\aurora-agent-statusC:\Program Files\Aurora-Agent\aurora-agent.exe 13241300x8000000000000000750968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:58.266{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 13241300x8000000000000000750967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:58.266{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000750966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:05:58.266{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\CustomSourceDWORD (0x00000001) 12241200x8000000000000000750965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:05:58.266{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent 10341000x8000000000000000750964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.264{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000750963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.263{A78D3DEB-1AF5-634D-9E00-000000008502}5484NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent.exeC:\Program Files\Aurora-Agent\service-startup.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000750962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.227{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.192{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000750960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:57.159{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000750959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.155{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.124{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.087{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.054{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.017{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.903{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.850{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.849{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.849{5C0BDE06-1AF7-634D-7D00-000000008502}25523688C:\Windows\system32\SppExtComObj.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\SppExtComObj.exe+227c3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 154100x8000000000000000518095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.840{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\slui.exe10.0.14393.4946 (rs1_release.220131-0721)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\SLUI.exe" RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=21c56779-b449-4d20-adfc-eece0e1ad74b;NotificationInterval=1440;Trigger=TimerEventC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5C0BDE06-1A78-634D-E403-000000000000}0x3e40SystemMD5=5696ACC92F0DA79A239D33FB9EAEE268,SHA256=1E497C6C9442F78CA7647BDF79B059ACBDFEFAC204C12BFE32A484377F7395F8,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding 10341000x8000000000000000518094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.836{5C0BDE06-1AF6-634D-7C00-000000008502}35122792C:\Windows\system32\sppsvc.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+5acc3|C:\Windows\system32\sppobjs.dll+5ac4b|C:\Windows\system32\sppobjs.dll+5904c|C:\Windows\system32\sppobjs.dll+58e18|C:\Windows\system32\sppobjs.dll+4d73d|C:\Windows\system32\sppobjs.dll+4d5a5|C:\Windows\system32\sppobjs.dll+4da77|C:\Windows\system32\sppobjs.dll+4dc39|C:\Windows\system32\sppobjs.dll+4cf5e|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.830{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.794{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.794{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.627{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.627{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.055{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.055{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.053{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.052{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.002{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:05:59.002{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF6-634D-7C00-000000008502}3512C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000751087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.810{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.810{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.810{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.809{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.809{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.809{A78D3DEB-1AE9-634D-9A00-000000008502}48765300C:\Windows\Explorer.EXE{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\Explorer.EXE+11f63|C:\Windows\Explorer.EXE+11cb7|C:\Windows\Explorer.EXE+11c0c|C:\Windows\Explorer.EXE+11b8a|C:\Windows\Explorer.EXE+1c8ea|C:\Windows\Explorer.EXE+12d17 154100x8000000000000000751081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.808{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXE"C:\Windows\System32\mshta.exe" "javascript:a=new ActiveXObject("WScript.Shell");a.Run("calc.exe",0,true);close();"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000751080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.721{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.721{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEF-634D-9D00-000000008502}5320C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.721{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.720{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.718{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000751000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.714{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.713{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 10341000x8000000000000000750975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845648C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910610) 23542300x8000000000000000750974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.999{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6872D34910727052ECAF95DA7E62BF95,SHA256=01CA777B28F3AD1EA9D749192250EA4EA4C761EB8DBC3C9345ABE30BD894A79D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.901{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.901{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.901{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.885{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.885{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.885{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.831{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.831{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.831{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.808{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.807{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.807{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.807{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.807{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.804{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.804{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.630{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.628{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.625{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.624{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.622{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.621{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.619{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.618{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.617{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.614{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.613{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.609{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.599{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.596{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.586{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.584{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.570{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.550{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.542{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.536{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.530{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.522{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.515{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.508{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.501{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.494{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.472{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.465{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 23542300x8000000000000000518121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.389{5C0BDE06-1A78-634D-1200-000000008502}1020NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=BB94F281D0A2D2E913C678F3C48BF3BB,SHA256=B84C544CEDAE67A9F5FEC741F22498FAB03910F38912DCB87DA1453B406045F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.279{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.279{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.279{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.264{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.264{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.264{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.248{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.248{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.248{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.079{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.078{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.077{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.061{5C0BDE06-1AF6-634D-7C00-000000008502}35122792C:\Windows\system32\sppsvc.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+8e34a|C:\Windows\system32\sppobjs.dll+5d561|C:\Windows\system32\sppobjs.dll+5e295|C:\Windows\system32\sppsvc.exe+b30f7|C:\Windows\system32\sppsvc.exe+557d9|C:\Windows\system32\sppsvc.exe+a276b|C:\Windows\system32\sppsvc.exe+b412a|C:\Windows\system32\sppsvc.exe+b441f|C:\Windows\system32\RPCRT4.dll+7ac63|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+5342c|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000751160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.977{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.976{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.976{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.952{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.952{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.701{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.684{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.684{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.576{A78D3DEB-1AF8-634D-A400-000000008502}58405868C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.501{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.500{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.490{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.490{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.487{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.486{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.486{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.486{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.468{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.449{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.449{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.449{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.448{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.448{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.447{A78D3DEB-1AF7-634D-9F00-000000008502}56725808C:\Windows\System32\mshta.exe{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49d7f|C:\Windows\System32\shell32.dll+49c0c|C:\Windows\System32\shell32.dll+b739e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.447{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "javascript:a=new ActiveXObject("WScript.Shell");a.Run("calc.exe",0,true);close();" 10341000x8000000000000000751135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.283{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.281{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.281{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.279{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.278{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.278{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.278{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.271{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.268{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.268{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.268{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.268{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.268{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.267{A78D3DEB-1AF8-634D-A000-000000008502}56965700C:\Windows\system32\cmd.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.263{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" " 10341000x8000000000000000751120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.257{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.257{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.250{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.250{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.250{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.248{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.248{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.241{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.241{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.240{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.240{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.239{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.238{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.238{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.238{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.229{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.213{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.189{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.189{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.183{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000751100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.307{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57705-false8.240.196.254-80http 354300x8000000000000000751099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.287{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61068- 354300x8000000000000000751098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.261{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57704-false72.21.91.29-80http 354300x8000000000000000751097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.252{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58291- 354300x8000000000000000751096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:58.237{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57703-false72.21.91.29-80http 10341000x8000000000000000751095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.134{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF8-634D-A100-000000008502}5704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.128{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.128{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.128{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.128{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.127{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.127{A78D3DEB-1AE9-634D-9A00-000000008502}48765300C:\Windows\Explorer.EXE{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000751088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.126{A78D3DEB-1AF8-634D-A000-000000008502}5696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000518181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:01.662{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7E00-000000008502}3820C:\Windows\System32\SLUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:01.149{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:01.145{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:01.144{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF3-634D-7A00-000000008502}2980C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000751207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.935{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.894{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.877{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.877{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.832{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.831{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.722{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.720{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.718{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.717{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.717{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.709{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.709{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.709{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.708{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.708{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.708{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.708{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.708{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000751188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:06:01.664{A78D3DEB-1AF8-634D-A200-000000008502}5764\PSHost.133104711602631069.5764.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000751187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.628{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fddhyiid.gl5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.627{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1sxqjucs.p3n.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.609{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.609{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.602{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.596{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.593{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.593{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000751179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.487{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1sxqjucs.p3n.ps12022-10-17 09:06:01.487 10341000x8000000000000000751178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.460{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.460{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.349{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.264{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.259{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.206{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000751172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.984{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60230- 354300x8000000000000000751171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:05:59.982{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50416- 10341000x8000000000000000751170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.167{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.166{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF7-634D-9F00-000000008502}5672C:\Windows\System32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.139{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.139{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.139{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.139{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.139{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.138{A78D3DEB-1AF8-634D-A300-000000008502}58125892C:\Windows\System32\calc.exe{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+4a4b3|C:\Windows\System32\SHELL32.dll+4a37b|C:\Windows\System32\SHELL32.dll+49c97|C:\Windows\System32\SHELL32.dll+b739e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000751162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.123{A78D3DEB-1AF9-634D-A500-000000008502}5952C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{A78D3DEB-1AF8-634D-A300-000000008502}5812C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe" 10341000x8000000000000000751161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:01.021{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:02.424{5C0BDE06-1AF6-634D-7C00-000000008502}35122792C:\Windows\system32\sppsvc.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+77b12|UNKNOWN(0000020CA407A614) 22542200x8000000000000000518182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:00.086{5C0BDE06-1AF7-634D-7D00-000000008502}2552_ldap._tcp.dc._msdcs.WORKGROUP9003-C:\Windows\System32\SppExtComObj.Exe 10341000x8000000000000000751239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.982{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.949{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.913{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.878{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.844{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.809{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.776{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.738{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.705{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.667{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.632{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.593{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.556{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.520{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.487{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.453{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.420{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.383{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.351{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.316{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.283{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.261{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91507AF7C34D04B7F2C5CF32217080AD,SHA256=994866BAA0567846029EDA27B91C29FE68485EE84887D8FB3E240E848D2B2FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.243{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1CDA7F6866E04FF96371F4F200BDEF43,SHA256=7CDE7AF47033793FC29A0B42FB2AFC4844B7D08ACAB2B52C922D1009091A7177,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.241{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.208{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000751214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:00.208{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65118- 10341000x8000000000000000751213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.174{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.138{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.105{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.074{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.040{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.009{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.767{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1AFB-634D-7F00-000000008502}2576C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1AFB-634D-7F00-000000008502}2576C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.741{5C0BDE06-1AF7-634D-7D00-000000008502}25523688C:\Windows\system32\SppExtComObj.exe{5C0BDE06-1AFB-634D-7F00-000000008502}2576C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\SppExtComObj.exe+227c3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 154100x8000000000000000518186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.738{5C0BDE06-1AFB-634D-7F00-000000008502}2576C:\Windows\System32\slui.exe10.0.14393.4946 (rs1_release.220131-0721)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=21c56779-b449-4d20-adfc-eece0e1ad74b;Trigger=TimerEventC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5C0BDE06-1A78-634D-E403-000000000000}0x3e40SystemMD5=5696ACC92F0DA79A239D33FB9EAEE268,SHA256=1E497C6C9442F78CA7647BDF79B059ACBDFEFAC204C12BFE32A484377F7395F8,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding 10341000x8000000000000000518185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.737{5C0BDE06-1AF6-634D-7C00-000000008502}35123620C:\Windows\system32\sppsvc.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+5acc3|C:\Windows\system32\sppobjs.dll+5ac4b|C:\Windows\system32\sppobjs.dll+5904c|C:\Windows\system32\sppobjs.dll+58e18|C:\Windows\system32\sppobjs.dll+4d73d|C:\Windows\system32\sppobjs.dll+4d5a5|C:\Windows\system32\sppobjs.dll+4da77|C:\Windows\system32\sppobjs.dll+4dc39|C:\Windows\system32\sppobjs.dll+4cf5e|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:03.670{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.974{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.973{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.outMD5=CC92DD4000C374C4CC47E1317170B272,SHA256=129125F665E5286204D5B2FA652087C865398DB18D8B1F4A98EA4E9DEBC70936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.971{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.dllMD5=9A6C352E7FDE0D572517997519EC2318,SHA256=046CE8EA60FA1A38DD4A970C8C6A40C41F2724745E17BCEAD825555600596131,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000751304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.969{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.0.csMD5=8FF6F77DCD753AB363A73156E14F84A4,SHA256=8519D9175C9469562474AF2F653BE4686167F1F9BCBF7BEE1815755212EF17E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.955{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.cmdlineMD5=A835FEE8A1673973E0B322B7A9279544,SHA256=A820BC0CBC46E7D40502F90B67EDBE79E3789913C52629B919AB2D086CE383AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.955{A78D3DEB-1AFB-634D-A700-000000008502}3944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\CSC2CB41BC021EC4E09BB8BD75811181AA.TMPMD5=9BFBE1CD304EEA210D38D472DD7CF6EC,SHA256=4E0E7E049B6065D4040B459AE7E446A5D8CF62B2794F24E12BD63F1F9B887B54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.939{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.907{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000751299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:03.888{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.dll2022-10-17 09:06:03.416 23542300x8000000000000000751298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.888{A78D3DEB-1AFB-634D-A700-000000008502}3944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.888{A78D3DEB-1AFB-634D-A700-000000008502}3944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES196A.tmpMD5=DD6D3782ED51EBF46FF993E02B5B51F6,SHA256=B4A60AE13DA9B4C13B5432C42C6A0A478A2644433C258B9743EB03A2B6B9565A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.872{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.840{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.833{A78D3DEB-1AFB-634D-A800-000000008502}3112ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES196A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFB-634D-A800-000000008502}3112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AFB-634D-A800-000000008502}3112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.819{A78D3DEB-1AFB-634D-A700-000000008502}39443104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{A78D3DEB-1AFB-634D-A800-000000008502}3112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.822{A78D3DEB-1AFB-634D-A800-000000008502}3112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES196A.tmp" "c:\Users\Administrator\AppData\Local\Temp\4j53tj2n\CSC2CB41BC021EC4E09BB8BD75811181AA.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.cmdline" 10341000x8000000000000000751285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.803{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.770{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.732{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.700{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.665{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.630{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.576{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.544{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.509{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.474{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.471{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.454{A78D3DEB-1AF8-634D-A200-000000008502}57646108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cde6c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb8686(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb82c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+827809df(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81c75233(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cd8ca5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbab45(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cab865(wow64) 154100x8000000000000000751268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.424{A78D3DEB-1AFB-634D-A700-000000008502}3944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 10341000x8000000000000000751267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.438{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000751266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.416{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.cmdline2022-10-17 09:06:03.416 11241100x8000000000000000751265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:03.416{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j53tj2n\4j53tj2n.dll2022-10-17 09:06:03.416 10341000x8000000000000000751264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.406{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.369{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.336{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.301{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.268{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.233{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.198{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.162{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.127{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.089{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.057{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78602B8424255F7D8BD9959A1BAFBEE8,SHA256=B9ADCE7D54A00460521334B388C1F5C18CE04F1A05F1F16A8899E8B2F05476EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.057{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1843A30099AB21559F850E69FE8B43CF,SHA256=40C5E612889629D036D5E64A6733408F1AB70EAC4AAA2D8FDEE57177557C8ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.056{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.056{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.055{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.055{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.055{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.055{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.054{A78D3DEB-1AE8-634D-9100-000000008502}43845140C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.052{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56C452E874B6EF7D0EA99389D75BA79D,SHA256=EAE2249853611F89D34C547C43C51BB34CF7A4658CA0658116A712045415D98D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.051{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.051{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.051{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000751241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.049{A78D3DEB-1AE8-634D-9100-000000008502}43844448C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:03.016{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000518200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:02.436{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\System32\SppExtComObj.ExeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49718-false169.254.169.250-1688- 354300x8000000000000000518199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:02.252{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000751465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.821{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.819{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.cmdlineMD5=703C18F2726FD9584446922B15C4F40C,SHA256=071B570BB96A3D6173EE15A0DBC98F1B1ECD7A2D8695C6D700BFD971BD81CCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.817{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.dllMD5=C0CCF1C6F02F8EA33B628231480D1449,SHA256=69CFD1CE77649C5C8067D344620010BE3EE4C068F2EFCC84CA2D963090AA0A7E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000751462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.815{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.outMD5=3A1984D724C0110CD722CFD3E1F7487B,SHA256=1E94000791CD88099B1B3D01B9EAE268475B21E48BA2B5CF00914ABFCB0E2326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.808{A78D3DEB-1AFC-634D-AB00-000000008502}4240ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\CSC6F5E0EA1A9814A07818E689EC2742F38.TMPMD5=59AEC5EAEA80FEA711D78B03ED4FD0F3,SHA256=DB5235114B3E0027C87ECB17D5DD9EE2D9F9C2E844721D647FC7880C2541B798,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000751460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:04.753{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.dll2022-10-17 09:06:04.616 23542300x8000000000000000751459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.753{A78D3DEB-1AFC-634D-AB00-000000008502}4240ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.752{A78D3DEB-1AFC-634D-AB00-000000008502}4240ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1CE4.tmpMD5=086E2EE91D2EEEEC56576E58AB11A962,SHA256=4E2BFBE4169BF63843EED92DC76A52040A0ADA3BAE7200D8FF9900F73453EF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.717{A78D3DEB-1AFC-634D-AC00-000000008502}4228ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1CE4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.709{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFC-634D-AC00-000000008502}4228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.708{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.707{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.707{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AFC-634D-AC00-000000008502}4228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.706{A78D3DEB-1AFC-634D-AB00-000000008502}42404236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{A78D3DEB-1AFC-634D-AC00-000000008502}4228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.707{A78D3DEB-1AFC-634D-AC00-000000008502}4228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1CE4.tmp" "c:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\CSC6F5E0EA1A9814A07818E689EC2742F38.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.cmdline" 23542300x8000000000000000751448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.631{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A75BD63C30B2787FE2E64F6F112882,SHA256=07C75CD7057FEDA9F75C163E1675897970B8593250A8B06BF6F100363AE476BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.622{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.620{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.619{A78D3DEB-1AF8-634D-A200-000000008502}57646108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cde6c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb8686(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb82c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+827809df(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81c75233(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cd8ca5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbae34(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+11a522 154100x8000000000000000751440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.619{A78D3DEB-1AFC-634D-AB00-000000008502}4240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x8000000000000000751439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.617{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.cmdline2022-10-17 09:06:04.617 11241100x8000000000000000751438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:04.617{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h1tvh5xw\h1tvh5xw.dll2022-10-17 09:06:04.616 10341000x8000000000000000751437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.551{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.541{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.540{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.540{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.500{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.500{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.500{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.435{A78D3DEB-1AE8-634D-9100-000000008502}43844448C:\Windows\system32\sihost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.421{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.421{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.421{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.407{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.407{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.407{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.381{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.381{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.381{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.380{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.380{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.380{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.376{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.376{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.376{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.366{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.365{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.363{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.363{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.363{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.355{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.353{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.353{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.353{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.351{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.351{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.351{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.350{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.350{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.350{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.344{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.344{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.344{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.339{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.339{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.338{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.294{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.294{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.294{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.293{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.293{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.293{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.281{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.outMD5=F1EC5482BF2BA02575B45321908341A8,SHA256=9CB8F3F9CAB954B9735983180F10A57AA2C10C45C1CD88579D1AEFF6AD549BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.279{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.cmdlineMD5=D4E02BA6F8A94552D9302B31F2B11360,SHA256=7406093E201E43AA5A1039416CD1C4B6972779CFB2603F5D84064D5AA0DD524C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.277{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.0.csMD5=986DE8D150F07C409E63595ED82A418D,SHA256=B5932B6734CB4CD024A1935D17BA61F0B3AA4861E711D29699298F405012AA49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.275{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.275{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.275{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.274{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.dllMD5=2F2B954B7CDCFFF50978D13BA077D1F7,SHA256=3FFA95195D29589E6910EF45FACA57B649C788A60252B5522CA2E0DF8D61E9DF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x8000000000000000751347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.266{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.266{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.266{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.259{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.259{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.259{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.252{A78D3DEB-1AFC-634D-A900-000000008502}3496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\CSC3CDD1BCAF48043F4854DB79C6CE3FB46.TMPMD5=B9C61E428CA0D469B5C2DD7F79DE68C0,SHA256=A7BF419ABED674FC3AB764883B0029825FF520DF48DE39997CF69309D82EA2E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.218{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000751336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:02.241{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000751335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:04.185{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.dll2022-10-17 09:06:04.034 23542300x8000000000000000751334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.185{A78D3DEB-1AFC-634D-A900-000000008502}3496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.184{A78D3DEB-1AFC-634D-A900-000000008502}3496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1A93.tmpMD5=45786B10EE8D1C431BB76BF2B96F8D47,SHA256=7D1104EBC7FA62E0C85DA819B50609E365F21AA2EA006B7083BD157A7A2124A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.181{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.146{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.124{A78D3DEB-1AFC-634D-AA00-000000008502}3748ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1A93.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.123{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFC-634D-AA00-000000008502}3748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.121{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AFC-634D-AA00-000000008502}3748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.120{A78D3DEB-1AFC-634D-A900-000000008502}34963404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{A78D3DEB-1AFC-634D-AA00-000000008502}3748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.120{A78D3DEB-1AFC-634D-AA00-000000008502}3748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1A93.tmp" "c:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\CSC3CDD1BCAF48043F4854DB79C6CE3FB46.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.cmdline" 10341000x8000000000000000751321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.114{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.079{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.042{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.040{A78D3DEB-1AF8-634D-A100-000000008502}57045728C:\Windows\system32\conhost.exe{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1AF8-634D-A200-000000008502}57646108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\2ed32e20cbed8a26a46a4a7213403003\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cde6c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb8686(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cb82c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+827809df(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81c75233(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cd8ca5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbacb4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cbab45(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+81cab865(wow64) 154100x8000000000000000751311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.038{A78D3DEB-1AFC-634D-A900-000000008502}3496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x8000000000000000751310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.034{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.cmdline2022-10-17 09:06:04.034 11241100x8000000000000000751309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localDLL2022-10-17 09:06:04.034{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qgwdcvzf\qgwdcvzf.dll2022-10-17 09:06:04.034 10341000x8000000000000000751308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.008{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.983{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.983{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.982{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.978{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.978{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.978{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.778{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.778{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.778{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.777{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.777{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.777{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.763{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.763{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.763{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.744{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.739{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.724{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.724{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.724{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.608{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.608{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.608{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.448{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE403AFB5C1E23744D759A0B413AE0CA,SHA256=B20068A131F113D62A09AC5D5D5D098E3419B66D31CC04BDA47FEBC77629796B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000751468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:04.076{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64476- 10341000x8000000000000000751467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.840{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.839{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.813{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.813{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.813{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000751514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.173{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57709-false169.254.169.254-80http 354300x8000000000000000751513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.145{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57708-false169.254.169.254-80http 354300x8000000000000000751512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.084{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57707-false169.254.169.254-80http 10341000x8000000000000000751601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.938{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.937{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.937{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.937{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.935{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.935{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.934{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.934{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.934{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF9-634D-A600-000000008502}6040C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.908{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.908{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.908{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.880{A78D3DEB-1A7C-634D-1600-000000008502}12362084C:\Windows\system32\svchost.exe{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.862{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.841{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.839{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.839{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.839{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.839{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.839{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.838{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.836{A78D3DEB-1AFF-634D-AD00-000000008502}5400C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000751554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.664{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.664{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.664{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.437{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.437{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.437{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.394{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.394{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.394{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.252{A78D3DEB-1AF8-634D-A200-000000008502}5764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.252{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9700-000000008502}4748C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.240{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.240{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.240{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.228{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.228{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.227{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000751523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:05.298{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57710-false169.254.169.254-80http 23542300x8000000000000000751522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.170{A78D3DEB-1AE9-634D-9A00-000000008502}4876ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=DCFD58B379578B4D1DDF80AF87959261,SHA256=A2258B56CB9997DBC3424220E9BE3494E1662957FFECEB4FA9740198B9D3AA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.107{A78D3DEB-1AE9-634D-9A00-000000008502}4876ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperMD5=9B185F42151D0A2DE8E09172DE3498A0,SHA256=5909AB61ACC0D6E56B8FC52B182BE96E654085DA72F0E8CFDDC07942BAA88541,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:07.056{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.761{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.761{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.761{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.760{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.760{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.757{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.757{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.757{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.757{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.754{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.754{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.539{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.539{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.539{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.539{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.537{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.537{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.537{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.537{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.535{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.535{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.535{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.535{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.535{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.532{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.532{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.530{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.530{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.506{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.506{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000751643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.434{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57713-false169.254.169.254-80http 354300x8000000000000000751642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.415{A78D3DEB-1AF8-634D-A200-000000008502}5764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57712-false169.254.169.254-80http 354300x8000000000000000751641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:06.408{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57711-false72.21.91.29-80http 10341000x8000000000000000751640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.202{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.202{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.202{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.202{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.200{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.200{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.200{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.199{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.199{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.194{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.194{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.193{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.193{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.174{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.174{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.153{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.153{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.153{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.152{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.148{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.148{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.148{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.148{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.136{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.136{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.107{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3FF4CF3C6C4349F682107DA8F7135FE9,SHA256=79F3BC38FBC1150B1AAC9420ED1003592E980886CA171C8EC6331C0CECCEE3F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.528{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.528{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.528{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.493{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.493{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.493{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.493{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.483{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.483{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.483{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.482{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.481{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.480{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.480{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.479{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.479{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.479{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.479{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.477{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000751693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:08.092{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000751692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.415{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.415{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.343{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.343{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.340{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.340{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 13241300x8000000000000000751685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:09.321{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0xb267acd9) 23542300x8000000000000000751684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:09.107{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D5D0042FCCB98111E673F97C00EAF09,SHA256=110CDEB23E18ACC552E045BA18E1AB1E633572C5A90AA036367DCB14D4E212B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:08.144{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000751733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:10.980{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A4701A6E0660B9D2F635CF9614DBC493,SHA256=31CF8149289CBCE68840B5C7E8E8337158BD1529AEC05824D718FA6A177ABD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:10.053{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008A92526F04D369F4360A688CD6E21A,SHA256=049CC8CC6620D090B4017FD6C914AC79ACA3364BE74BAA9F3236BE0C24C15D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000751731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:10.053{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A554846BEF7036FC4941B33DAB2179CD,SHA256=82AE40CAFEFDB0E93213D55D114A5D40F3024272A611B881C863F775C8486209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000751756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.903{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{A78D3DEB-1A7B-634D-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000751755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.897{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.757{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.757{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.741{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.741{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.741{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.741{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.741{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.616{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.616{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.616{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.538{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.538{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.538{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.538{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.491{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.491{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.491{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.491{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:11.183{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.892{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA33F1A549EBA6D0B1E10E5272EEA78,SHA256=7B310E3CAA10455ED056C66288DD2908E66E4C4BB77C93FEDCD101BFA9675C21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.830{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.814{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.798{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.783{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.584{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.584{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.584{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.584{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.582{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.582{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.582{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.582{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.580{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.580{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.580{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.580{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.580{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.559{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.559{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.559{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.553{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.553{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.553{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.492{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.492{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.492{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AE00-000000008502}4852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.490{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.488{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.487{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.483{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.483{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.472{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.465{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.464{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.455{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.455{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.455{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.455{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.453{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.453{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.453{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.453{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.453{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.450{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.447{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.447{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.447{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.447{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.447{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.428{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.428{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.428{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.428{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.424{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.422{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.422{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.405{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.404{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.404{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.403{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.403{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.403{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.403{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.401{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.401{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.401{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.397{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.397{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.382{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.382{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.289{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.289{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.289{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.116{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.116{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:12.022{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.975{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.959{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.959{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.959{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.959{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.959{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.944{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.776{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.776{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.776{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.776{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.776{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 734700x8000000000000000751922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.665{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\System32\SppExtComObj.ExeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000751921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.675{A78D3DEB-1B04-634D-B000-000000008502}37365632C:\Windows\system32\sppsvc.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+77b12|UNKNOWN(0000020454690514) 10341000x8000000000000000751920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.649{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.649{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.646{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.643{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.643{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.625{A78D3DEB-1B04-634D-B000-000000008502}37365632C:\Windows\system32\sppsvc.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+8e34a|C:\Windows\system32\sppobjs.dll+5d561|C:\Windows\system32\sppobjs.dll+5e295|C:\Windows\system32\sppsvc.exe+b30f7|C:\Windows\system32\sppsvc.exe+557d9|C:\Windows\system32\sppsvc.exe+a276b|C:\Windows\system32\sppsvc.exe+b412a|C:\Windows\system32\sppsvc.exe+b441f|C:\Windows\system32\RPCRT4.dll+7ac63|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+5342c|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000751914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.556{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.554{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.554{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.515{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B05-634D-B200-000000008502}5748C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.504{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.504{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.492{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.492{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.492{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.492{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.492{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B05-634D-B200-000000008502}5748C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.491{A78D3DEB-1B05-634D-B100-000000008502}58365816C:\Windows\system32\SppExtComObj.exe{A78D3DEB-1B05-634D-B200-000000008502}5748C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\SppExtComObj.exe+227c3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 154100x8000000000000000751895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.482{A78D3DEB-1B05-634D-B200-000000008502}5748C:\Windows\System32\slui.exe10.0.14393.4946 (rs1_release.220131-0721)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\SLUI.exe" RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=21c56779-b449-4d20-adfc-eece0e1ad74b;NotificationInterval=1440;Trigger=TimerEventC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{A78D3DEB-1A7B-634D-E403-000000000000}0x3e40SystemMD5=5696ACC92F0DA79A239D33FB9EAEE268,SHA256=1E497C6C9442F78CA7647BDF79B059ACBDFEFAC204C12BFE32A484377F7395F8,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding 10341000x8000000000000000751894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.478{A78D3DEB-1B04-634D-B000-000000008502}37365632C:\Windows\system32\sppsvc.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+5acc3|C:\Windows\system32\sppobjs.dll+5ac4b|C:\Windows\system32\sppobjs.dll+5904c|C:\Windows\system32\sppobjs.dll+58e18|C:\Windows\system32\sppobjs.dll+4d73d|C:\Windows\system32\sppobjs.dll+4d5a5|C:\Windows\system32\sppobjs.dll+4da77|C:\Windows\system32\sppobjs.dll+4dc39|C:\Windows\system32\sppobjs.dll+4cf5e|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.474{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.445{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.444{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.438{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-001MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.285{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.285{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B04-634D-B000-000000008502}3736C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.127{A78D3DEB-1B04-634D-B000-000000008502}37365476C:\Windows\system32\sppsvc.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d739|C:\Windows\system32\sppsvc.exe+7eac8|C:\Windows\system32\sppsvc.exe+74910|C:\Windows\system32\sppsvc.exe+957fe|C:\Windows\system32\sppsvc.exe+5458f|C:\Windows\system32\sppsvc.exe+a1cfb|C:\Windows\system32\sppsvc.exe+b412a|C:\Windows\system32\sppsvc.exe+b441f|C:\Windows\system32\RPCRT4.dll+7ac63|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+5342c|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x8000000000000000751884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.127{A78D3DEB-1B04-634D-B000-000000008502}37365476C:\Windows\system32\sppsvc.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d739|C:\Windows\system32\sppsvc.exe+74a2a|C:\Windows\system32\sppsvc.exe+957b1|C:\Windows\system32\sppsvc.exe+5458f|C:\Windows\system32\sppsvc.exe+a1cfb|C:\Windows\system32\sppsvc.exe+b412a|C:\Windows\system32\sppsvc.exe+b441f|C:\Windows\system32\RPCRT4.dll+7ac63|C:\Windows\system32\RPCRT4.dll+d5bc1|C:\Windows\system32\RPCRT4.dll+5342c|C:\Windows\system32\RPCRT4.dll+35824|C:\Windows\system32\RPCRT4.dll+3473d|C:\Windows\system32\RPCRT4.dll+34feb|C:\Windows\system32\RPCRT4.dll+20ddc|C:\Windows\system32\RPCRT4.dll+2125c|C:\Windows\system32\RPCRT4.dll+106bc|C:\Windows\system32\RPCRT4.dll+11f1b|C:\Windows\system32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.939{A78D3DEB-1A79-634D-0B00-000000008502}648NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000751990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.874{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F928C51C95EAECE756B176B0246561EF,SHA256=688EE74E5F034990965E637A0597890A68F77B572FFE62119B24DFFDAFF6A6DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.659{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.658{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.657{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.657{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.609{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B06-634D-B300-000000008502}5328C:\Windows\System32\SLUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.594{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.594{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.593{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.593{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.593{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B06-634D-B300-000000008502}5328C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.593{A78D3DEB-1B05-634D-B100-000000008502}58365816C:\Windows\system32\SppExtComObj.exe{A78D3DEB-1B06-634D-B300-000000008502}5328C:\Windows\System32\SLUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\SppExtComObj.exe+227c3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 154100x8000000000000000751978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.593{A78D3DEB-1B06-634D-B300-000000008502}5328C:\Windows\System32\slui.exe10.0.14393.4946 (rs1_release.220131-0721)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=21c56779-b449-4d20-adfc-eece0e1ad74b;Trigger=TimerEventC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{A78D3DEB-1A7B-634D-E403-000000000000}0x3e40SystemMD5=5696ACC92F0DA79A239D33FB9EAEE268,SHA256=1E497C6C9442F78CA7647BDF79B059ACBDFEFAC204C12BFE32A484377F7395F8,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding 10341000x8000000000000000751977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.592{A78D3DEB-1B04-634D-B000-000000008502}37365476C:\Windows\system32\sppsvc.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppobjs.dll+8feec|C:\Windows\system32\sppobjs.dll+8fbdd|C:\Windows\system32\sppobjs.dll+5acc3|C:\Windows\system32\sppobjs.dll+5ac4b|C:\Windows\system32\sppobjs.dll+5904c|C:\Windows\system32\sppobjs.dll+58e18|C:\Windows\system32\sppobjs.dll+4d73d|C:\Windows\system32\sppobjs.dll+4d5a5|C:\Windows\system32\sppobjs.dll+4da77|C:\Windows\system32\sppobjs.dll+4dc39|C:\Windows\system32\sppobjs.dll+4cf5e|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.436{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.436{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.436{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.436{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000751972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.436{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000751971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.433{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.433{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.433{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.433{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.433{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.432{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.432{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.432{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000751961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.414{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 734700x8000000000000000751960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.336{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000751959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.178{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.178{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.178{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.178{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000751955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.115{A78D3DEB-1A7C-634D-1000-000000008502}8NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=91E4A2B9D84CD22B58B05CDE2122F3FF,SHA256=A030592B330DDF303E1EC68D5BB6CB7798108B9E70C4929F85A99EFABD2A7E03,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000751997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.711{A78D3DEB-1B05-634D-B100-000000008502}5836win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\SppExtComObj.Exe 354300x8000000000000000751996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:14.074{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000751995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.730{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\System32\SppExtComObj.ExeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57716-false169.254.169.251-1688- 354300x8000000000000000751994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.708{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57715-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000751993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:13.708{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\System32\SppExtComObj.ExeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57715-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000751992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:15.590{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01A3C156703DD38DE4E17C5D5A6B1F1,SHA256=DA697392E20B82F8B1B99A6A3310F9735017C574923F0EB1EE03CCAA1F660D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:16.882{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:14.164{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000752051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.960{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.960{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.960{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.944{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.944{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000752046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.491{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.491{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.491{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.460{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.459{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.459{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.454{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.325{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.263{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.121{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000752013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:06:16.121{A78D3DEB-1A79-634D-0B00-000000008502}648\scerpcC:\Windows\system32\lsass.exe 10341000x8000000000000000752012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.121{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.121{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.121{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+768f3|C:\Windows\system32\lsasrv.dll+76af6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.105{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.105{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.105{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.105{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.105{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.059{A78D3DEB-1AE9-634D-9A00-000000008502}48765916C:\Windows\Explorer.EXE{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+565f|C:\Program Files\7-Zip\7-zip.dll+9070|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+6d0bf|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+1793bc|C:\Windows\System32\SHELL32.dll+1a0124|C:\Windows\System32\SHELL32.dll+2844f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+179660|C:\Windows\System32\SHELL32.dll+176a3e|C:\Windows\System32\SHELL32.dll+60691|C:\Windows\System32\SHELL32.dll+63576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000751998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.045{A78D3DEB-1B08-634D-B400-000000008502}5044C:\Program Files\7-Zip\7zFM.exe22.017-Zip File Manager7-ZipIgor Pavlov7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Temp\9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d.zip"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=D36DECEEB4C9645AAB2DED86608D090B,SHA256=018D74FF917692124DEE0A8A7E6302AECD219D79B049AD95F2F4EEDEA41B4A45,IMPHASH=3B2AD7C424FBD96489E02FA44B3D6025{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000752054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.999{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57718-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000752053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:16.999{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57718-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000752052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:15.467{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64165- 22542200x8000000000000000752069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:17.005{A78D3DEB-1A7C-634D-1100-000000008502}380WIN-DC-CTUS-ATT0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x8000000000000000752068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.502{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.502{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.497{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.496{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.494{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.486{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.486{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.486{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.485{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:18.436{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F88EE0A3AA08ACDD6CBDC1881F5B10,SHA256=8D88BBC365ADDE0F1B70E37F8BC4D9314C3439FB9528A043A2B18C9BC778AD21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:16.866{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000518233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.786{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.782{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.772{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.770{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.766{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.764{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.759{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.756{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.749{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.745{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.743{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.732{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.713{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.709{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.689{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.685{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.646{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.579{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.568{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.558{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.546{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.524{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.511{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.498{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.467{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.449{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.439{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.431{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 23542300x8000000000000000752075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:20.783{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=881B5C446958FDB011DE840428A17747,SHA256=66CB0BA7FDB0A03B28FFC37D00998E10992FC688ED41D24F64496D8A673281CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:19.113{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000752073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:20.001{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:20.001{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:20.001{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:20.001{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:21.306{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF7-634D-7D00-000000008502}2552C:\Windows\system32\SppExtComObj.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000518234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:21.303{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000752090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.993{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.988{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.981{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.972{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.965{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.955{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.947{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.936{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.928{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.893{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.890{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000752079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.578{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ACD9325764ACCFAC4B4481E1D051AF,SHA256=EFD37F9A1FB7DCCF621CF384300027178222EA040198D0EFFDEE56B73CB2B41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.578{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A370711CF4514E1B113339A783AC1E4F,SHA256=5014473C4D217A753A2B3A76A30973C5A010993F5C9F82CFE13E6C26C5A54280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.548{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87721EE32D02338204DB0963ED37A8C,SHA256=3A3227905C65C69063D02D1C0C1001F030303458E92B99EB74DDFB45EA886C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.520{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:20.136{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.951{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5B4306326A72CD2A1E9929D59569A6FF,SHA256=D0F58D002DC91165808E16D9B4E9338E58B62AB7D5595A90FB06D54E52335594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.936{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.936{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.936{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.936{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.921{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.921{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.874{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03858EA230181E38BA619E801C8B3093,SHA256=D6A35FAC1D126E4173E79C086B0C81ADC4DB0D0E9D06E0BF14F48D5CF70CD327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.811{A78D3DEB-1AE9-634D-9A00-000000008502}48765916C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+6d0bf|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+1793bc|C:\Windows\System32\SHELL32.dll+1a0124|C:\Windows\System32\SHELL32.dll+2844f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+179660|C:\Windows\System32\SHELL32.dll+176a3e|C:\Windows\System32\SHELL32.dll+60691|C:\Windows\System32\SHELL32.dll+63576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000752108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.806{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap19784:156:7zEvent31848C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000752107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.547{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.545{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.084{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.082{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.076{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.072{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.069{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.062{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.061{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.054{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.050{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.048{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.047{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.046{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.042{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.014{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.008{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.971{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B0F-634D-B600-000000008502}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B0F-634D-B600-000000008502}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.956{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B0F-634D-B600-000000008502}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.816{A78D3DEB-1B0F-634D-B600-000000008502}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000752152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:21.558{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000752151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.541{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.541{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.541{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.517{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.517{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.517{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.507{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.507{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.507{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.507{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.505{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.505{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.505{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.505{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.505{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.094{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.029{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.014{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:23.014{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.998{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.998{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.998{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:22.998{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.957{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B0128200E3192400DDB99FCDF72084F3,SHA256=2B9897302EFA4803AB058C926D59EDA9B7B681A3A5168C52A11C601714DD47A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.862{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B10-634D-B700-000000008502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.849{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.849{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.849{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.849{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.849{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B10-634D-B700-000000008502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.848{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B10-634D-B700-000000008502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.689{A78D3DEB-1B10-634D-B700-000000008502}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000752178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.724{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F367F057B6BB974BD1439B03D42576D1,SHA256=EE6DF2C0197E1EC365AE3549F63013D9CCCAB09C53FD0922C065A42A3530ADA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.570{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.567{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.529{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.529{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.529{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.528{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.528{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.527{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.525{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.524{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.524{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.521{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.521{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.113{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7E44A05A2B8109732DE3CBBD383AD8,SHA256=EC2BF3CB8FAC28F4137E9D3BC1A6E9CB2B51E010E71A630C1946C10F0078EC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.113{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C814BAEE3260148856078E349F11D2,SHA256=22F73AAE957516D2762FE47FC4C9F23DFF7A71C179A6FC0AB1F6B3142B80CF37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.142{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57721-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000752284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:24.142{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57721-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 10341000x8000000000000000752283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.661{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B11-634D-B800-000000008502}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.659{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.659{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B11-634D-B800-000000008502}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.658{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B11-634D-B800-000000008502}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.524{A78D3DEB-1B11-634D-B800-000000008502}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000752275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:25.322{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0xbbf12ba0) 10341000x8000000000000000752274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.296{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.296{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.296{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.281{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.281{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.281{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.278{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.277{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.277{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.277{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.276{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000752250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.255{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E819B28878C3FA90442CB6F488A1FBF3,SHA256=50F35B7ABD863643D553B0382C8FA01647750C927D6C34D4895452EEF14B359B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.220{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.220{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.220{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.219{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.219{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.219{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.217{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.217{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.217{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.216{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.216{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.216{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.215{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.215{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.215{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.213{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.206{A78D3DEB-1B10-634D-B700-000000008502}42204236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.204{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.204{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.204{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.192{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.192{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.192{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.191{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.190{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.174{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.174{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.174{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.172{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B05-634D-B100-000000008502}5836C:\Windows\system32\SppExtComObj.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.170{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.163{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.163{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.163{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.160{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.151{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.123{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.118{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.110{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.102{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.100{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.098{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.095{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.092{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.091{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.085{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.084{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.076{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:26.792{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:26.791{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:26.791{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B0E-634D-B500-000000008502}3112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000752288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:25.085{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:26.220{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176931632ECE52DC98B1E18B30AAB197,SHA256=846984766FA347E0987EFC0E2382240E042D8A74675D0824C19A2A82FCEE0AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:26.220{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD3228C89ED955F348BBFBC59EE8254,SHA256=63A9532FD21C371F350423B632F3995CF359899FB6AA37938746350E0C5AF025,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:25.183{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000752309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.906{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B13-634D-BA00-000000008502}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.904{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.904{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.903{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B13-634D-BA00-000000008502}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.903{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.903{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.903{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B13-634D-BA00-000000008502}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.903{A78D3DEB-1B13-634D-BA00-000000008502}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000752301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.435{A78D3DEB-1B13-634D-B900-000000008502}60965988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.279{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADCA77E5E8A0CA2A436A3BB355487F4,SHA256=7E726C2701FB9DDA0589F8A9F87CD9548FA5DF8173206C73681CB39F6F4E7BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B13-634D-B900-000000008502}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B13-634D-B900-000000008502}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.201{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B13-634D-B900-000000008502}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:27.044{A78D3DEB-1B13-634D-B900-000000008502}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000752320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.806{A78D3DEB-1B14-634D-BB00-000000008502}42763332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B14-634D-BB00-000000008502}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B14-634D-BB00-000000008502}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.620{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B14-634D-BB00-000000008502}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.472{A78D3DEB-1B14-634D-BB00-000000008502}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000752311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.331{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2727E698BD5FEAE30778C9A81737006,SHA256=64D56E205A9F58BD327422AF12B1C5BEDD2722648FDC78C7E1543FA5BB512800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:28.159{A78D3DEB-1B13-634D-BA00-000000008502}6104676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:29.334{5C0BDE06-1AF6-634D-7C00-000000008502}3512NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=6EFA115D7FAD89737BD76DCA6EA64928,SHA256=2023F6664F44F80D6EA7C3A93A299BD5571E9871D303BC0903C816E9D1CEB50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:29.511{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C05D30751EB9E60BE171AA25B80A2F7A,SHA256=300B0E7D0757EBB7F1DF639919A54C1FF1CE533EF0EFC405F540B1FABED83C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:29.418{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5062F69627A20BA425D82985C5E8ED31,SHA256=C7E9AA4A291DB1EF4F87360156AF1783A0F2486F01CBF9B3F42680BF0A576F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.473{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B470E8D1E79F4BDC4183528644B99C4D,SHA256=FC16D0F73D00E610DEA2E5323BD857DB51E0E8D274B623A7270F509DE79AC1E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B16-634D-BC00-000000008502}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B16-634D-BC00-000000008502}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.286{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B16-634D-BC00-000000008502}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.162{A78D3DEB-1B16-634D-BC00-000000008502}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000752333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:31.644{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3880FABAD6EB135F2256A96362E0DA0C,SHA256=8F5BE3ACA6B0FDCCCBF9C2D102E771E2D15E5267C58ACD8237638AA491FF3C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:30.134{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.725{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69769D048F82546E9B3A3D674749F806,SHA256=AF7BE1C203592B4E98986EE1CC3A8F051FB7C97DADCD41274188A670997E897C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.635{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.633{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:32.633{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:33.720{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61B4D767139B24E04B82EBB632E9713,SHA256=99FCD234870E91A97CE77D93A7616A195876F2F075D3A90FFFF96B70E8183BDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:31.076{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:34.842{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6226480A95CCFB849A58EB07A999E284,SHA256=4C45E3EEE3E2468F903F25E3C05ABDACCBED45C159F8770D282BADA74FE267F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.761{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.762{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.605{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBF6B35B459C58F494E02A046DA3F15,SHA256=A8D97A42EB5B3FE49D6ABE30B91E861BF96FDA8765B1A660D6119233220C3B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.589{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D104FB12FDFE4D807BA6AFA66097DCF9,SHA256=278AFFFB4C921995EE8BCD4038048083375A09EEC1407A20622A1735B502D03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.386{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F230CC9AEB77C41ECEED77D07910658B,SHA256=9A02474ACB5A7BE988859F10E7AF762DB7CCD76A69D6DB2EE75A19CCF30AE4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.292{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=16642C47CC69772B3432AFFB81F2F5DE,SHA256=D0192C6EE45068787311667768B45BC3980E03072C0CE83BC2E23451CEE7B1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=451974436381BF46434EB4C6C31CD131,SHA256=A4AF39C6FB667EF906D39956CC7962D9410E888065FA795B9D80D4DD5EFB2BF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1A-634D-8000-000000008502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.276{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F02D5540EE4F4246CF19D69EFE8915C3,SHA256=8C42EB32C20A7AD5E465CFC4EA0BC441C17C75107D688E984C83EA5D13EB544F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B867363B3FD1EC8F320236E8C93B6B5,SHA256=159D9A8EA00D1AD70357A09842C58A0C57AE387331F9847B154BB3F4E22902A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4095B3B175BD60CF6BD298C71B9C1635,SHA256=EE49CA58EECEAA4CCCC57279E8394483E0C72AD7D9178AD28A4E999512B6A783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1B1A-634D-8000-000000008502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.261{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1A-634D-8000-000000008502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.274{5C0BDE06-1B1A-634D-8000-000000008502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000752344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:35.948{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7C39344F8934F4EE0D833ED72593C6,SHA256=AE442853BC071E73FB59B414C12E0290A3061C201BC953943520363975B71040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1B-634D-8300-000000008502}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B1B-634D-8300-000000008502}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.944{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1B-634D-8300-000000008502}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.946{5C0BDE06-1B1B-634D-8300-000000008502}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.632{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7792ABC5F07AF674B02A9C8AC2F86CD,SHA256=CF818D328E23BE628CA197723A5D2D832EC039A9533AC87DC1F2AF75AA2A7914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1B-634D-8200-000000008502}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B1B-634D-8200-000000008502}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.442{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1B-634D-8200-000000008502}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.443{5C0BDE06-1B1B-634D-8200-000000008502}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.075{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08806B8B2C49B6059BFA4EEF83496468,SHA256=D8B2829215E308D4A1C2012B064B01ABD502BFAF209161989E172488E1BFB08B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.058{5C0BDE06-1B1A-634D-8100-000000008502}37323768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.047{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.045{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.045{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.044{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.043{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:35.043{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B1A-634D-8100-000000008502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.845{5C0BDE06-1B1C-634D-8400-000000008502}300364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.752{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F638B437E80D55B6A7D689726637B6,SHA256=3D59257185EDBA45E12D90533AA529346D306B3B6C4D03FE99EBE609C88F8E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1C-634D-8400-000000008502}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B1C-634D-8400-000000008502}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.611{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1C-634D-8400-000000008502}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.612{5C0BDE06-1B1C-634D-8400-000000008502}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000518310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.126{5C0BDE06-1B1B-634D-8300-000000008502}984976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000518309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:34.230{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal9997- 23542300x8000000000000000518353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.886{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2BA2C49D1E5A365D0DE45D9EABA8F0,SHA256=594C2AC9B4106D45464C538606921C5524E894C0C9CEBA59599A015BBAE71316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1D-634D-8600-000000008502}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B1D-634D-8600-000000008502}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.792{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1D-634D-8600-000000008502}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.793{5C0BDE06-1B1D-634D-8600-000000008502}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000752346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:35.320{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:37.036{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D28E6FF734BF3A394CDDF2E0A484721,SHA256=719A9BDC21AD95CB7C5C3ADB8582399E8B6D958574007E4BBF30608EF84AA079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.589{5C0BDE06-1B1D-634D-8500-000000008502}10961080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B1D-634D-8500-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1B1D-634D-8500-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.292{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B1D-634D-8500-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:37.293{5C0BDE06-1B1D-634D-8500-000000008502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:38.876{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BE600B70C1C286755AD7C3809A6B8F,SHA256=5761F839A32384965DDA5AC90F4CE14240DE780868FC4A4C662BDFFF0B6B2605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:38.119{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58DA204DBDFA14C0BA2D54141096163,SHA256=CC010C281C30292227ECC81CBAB086F5CD87083BCAE6AB02C157BE3B0C309913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:36.086{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:39.195{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557FB7F9D00B7707275677DAE6D733FE,SHA256=257D6497773E05B0BC6567B1A84D398A6E13CB53FC28EB5AD33E0C63285D0F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:40.293{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4E17A3FA113D42C8FA34E94ECAA013,SHA256=5EFD64D98A3C8686588BD612504B9455A8837B241F5CF273D6CD3664DF08E1AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.682{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.674{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.669{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.664{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.663{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.660{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.658{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.656{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.655{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.653{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.646{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.641{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.636{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.617{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.614{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.598{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.592{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.576{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.538{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.526{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.520{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.511{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.495{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.489{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.481{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.470{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.461{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.449{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.433{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000518358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.429{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000518357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.274{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17A099C3C79194F261F588222C81E276,SHA256=A59F7661F66474E4E4D542EE4691B38106BA0F31DA95BF30A399CEB81E9BF605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:40.084{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ADE3E9F8A01536C595ADF89924294A,SHA256=AEECF38D1E966AB6562641504D949DA79C02A6FFDF3C53E3C94BCFE9535A0C94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.989{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.982{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.964{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.955{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.949{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.937{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.915{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.907{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.869{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000752350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.398{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED86C9DF911C54F816313574CC5324C,SHA256=40A194C74357102971493F9ADE32AEA4A7F6A99AE2D771AA0439B55C3341DAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:41.229{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EA66D5990E40376E37469403FC2FCC,SHA256=EDBB8E353C6FEFF542FDFE3254AFEA6DFF9A2DC981FFC8FC21A3763B24E327FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.454{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84F7A98665D5B1628370F287CC31624,SHA256=E7FC5E8F515EDC04C54D3C8F69B72EE9A85E3E949D6B36F08436621FB2C242FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.445{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.439{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000518389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:42.256{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB47D1672AD39A411E8B3DC0088B89B9,SHA256=227B6DC83BBE889636844D5D4C7745A3737762461CD5890FAEC1A11D2F282C94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.074{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.071{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.066{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.063{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.060{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.054{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.052{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.047{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.044{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.043{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.043{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.041{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.039{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.014{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:42.007{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000752382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:43.551{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B78008515D0BC4085D33EC14F74FD58,SHA256=B17EF697FE5C8972803C339695B2664B8CC6820265FEC5184844C187401F07EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:43.439{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE2EA62AFB0D6DA491E3D4E27ABE9F,SHA256=73171D45C3C60B991C0677E9A03CF1E83B16EE4139A8B590355E8DC854E5CFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:41.165{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000752380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:43.019{A78D3DEB-1B04-634D-B000-000000008502}3736NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=8B2667D7557710F9482499452887692E,SHA256=2AF7C86842DB9DD5235DE6F6F84B10B0BDD20B51388369860B04A6D122322E3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:41.137{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000752391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.996{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.994{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.990{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.989{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.986{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000752386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.653{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824402987FEE70F2B024F725B8DD4E3D,SHA256=9DB81E6B9EC7E36242541D9C78557046E149A4BDC9273332465E86CE604CE833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.638{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=03310B5997932DBDB6FAE32D530E05BA,SHA256=AE8B81AFC778B4A977C6F4FA7BFB5CEED2A845685EFD51E64E8E1D3AE07B509C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:44.649{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7D28B467C8E494823EEA6FD83DD32,SHA256=FD89C7ACFA79617B053E0299FE3AFA34658FC3EABE144C3A464C60FC46731C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.468{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:44.467{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.976{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.976{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.976{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.974{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.973{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.973{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.971{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.971{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.970{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.956{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.956{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.956{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.956{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.954{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.954{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.952{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.952{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.896{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.840{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.782{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.794{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000752416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.735{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AC06353F359886AFCFC3BAC11CF82A,SHA256=8FB9AAC53BF4B7AAB0E53266D5D448282D808ACFFA4FE8D4863E5FC601127BA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.720{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:45.741{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA2B875C240599F25B7D6BC5977C660,SHA256=CC8C385AA0E00BC3083E97538B4D4E350195166A7DF606DDDD37EDFE0B6CD43D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.610{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.610{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.595{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.579{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.089{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.078{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.067{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.037{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.031{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.019{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.012{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.009{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.003{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:45.000{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000752463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.979{A78D3DEB-1A7C-634D-1000-000000008502}81588C:\Windows\System32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.979{A78D3DEB-1A7C-634D-1000-000000008502}81588C:\Windows\System32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.870{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A9D38C09507E92764AE7E316E52399,SHA256=4E79CB38F8C07ADD1B84120E57FFFB64C6C3E311B1B1A38417C4D8817C3BA804,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000752460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:46.823{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x8000000000000000752459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:46.823{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0002c191) 13241300x8000000000000000752458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:46.823{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8df9b-0x73c0072d) 13241300x8000000000000000752457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:46.823{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e207-0xbbf12ba0) 13241300x8000000000000000752456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:46.823{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e285-0x767343a0) 23542300x8000000000000000518394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:46.826{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01280B9E7C27D23F7B616DB214681265,SHA256=0554C8F6A1853682FCC63B6DE3438A686CA654B35C483A7D24D61406C7EC752B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.729{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.698{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492A93AFF9837D73BD0D872E6AB1DF44,SHA256=9825EC9434FE98B294CBA4D53680E4E53A4F07337A3E137B58E181637697F1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.120{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2DD9AE952E80D5CF722132660DC4B456,SHA256=BBD9033FC70882495DE359EDC37AE22300FE488213FC5AF3350E47E7D4E72834,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:46.879{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57726-false40.126.28.21-443https 23542300x8000000000000000752474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.907{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614848E45BE98993728922FE030D5BEF,SHA256=C8AA3CC25A0E78D3298244716E15847F6BAE111A4E9043C9BBC8E0E22DF93639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:47.911{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77B9DFFF56569CAF668E7FF8DA14D9F,SHA256=3FC72DECC2CE141DBDCA8BFFE609D3CFD56D850644ACFCE68E842B562426D27C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.423{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000752472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.423{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000752471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.408{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000752470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.408{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000752469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.057{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.057{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.057{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.053{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.053{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.053{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B25-634D-BF00-000000008502}5684C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000518395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:46.226{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000752478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.159{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57727-false40.83.247.108-443https 354300x8000000000000000752477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.142{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000752476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:47.079{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49392- 23542300x8000000000000000752479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:48.999{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362977675C749738490F05535BB03DE2,SHA256=1E05840B1E0D53D713952FD7194D364EF85B4D479C12D24608BACF88EE068401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:49.097{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC94DE92911DDE124087FC69C3A3611,SHA256=35D59FB1204FEAD781089C87BF9905D984F4C63A77A5FF48F823E412FD39E95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:50.078{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C5D2002D37E03CF2C7FFA00C8A81AE,SHA256=67BFFBD71CDD9794B7E2B7F2E8D0EF561482C724B326C4D45A646B0543FD8816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:50.199{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35092ECF859720D5D8EEDF55C26FF2F,SHA256=182960A48E19729E513D3C470B76D511CCB297E068458463AB996F45A347233F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000752497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.868{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-10-17 09:06:51.868 10341000x8000000000000000752496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.770{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.770{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.754{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.754{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.739{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.739{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.739{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000752489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.739{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000752488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.707{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.693{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.693{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.693{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.693{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.693{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000752482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.661{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\qbot1.iso.lnk2022-10-17 09:06:51.661 23542300x8000000000000000752481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:51.177{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D72E17CD742978256DF37471EBADAA,SHA256=C4A259189BA91A611004CD55A85AEEB4062494A29A699761CC782450B5DD7B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:51.288{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C3E0ADA3309FC4EDE5411511250240,SHA256=537BF457B9FCD7AF5546EC496C3E15B3F39C92C4566B3A5A76519192B61EA15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:52.493{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA91E739008C044A98F5EA3E79CCD017,SHA256=1EB47227FE6EC20E23052A0530D0B2BFA9F3447892F10740513D55DC6F80841C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.887{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55D5C32E22E176B84F957B4AC937889A,SHA256=38DB3FDBEA00AA34DC67451C6E767D6B9A768B0407A4AA7BABCB068FA566D75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.871{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=786F48CB10AB7AB2F6B84B689542D1C8,SHA256=1890F7D170BAD7C49A3B734850040FEAD33EC88B7308EEFF6F1CC91625C3194B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.825{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\nettun.PNFMD5=7AB2D888752D0063CA8D4F8664D50304,SHA256=9F7688790CF9C8BB98378AF63CC7C51FDF127393E01FF0A14479E2D0E9B9BF73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.715{A78D3DEB-1A7C-634D-1400-000000008502}10722036C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000752544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.622{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000752543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.622{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0002d835) 13241300x8000000000000000752542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.622{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e1ff-0x6a25cddb) 13241300x8000000000000000752541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.622{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e207-0xcbea35db) 13241300x8000000000000000752540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.622{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e210-0x2dae9ddb) 23542300x8000000000000000752539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.403{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C05E41F6E0CA8C1C6F24DCA9B61579,SHA256=FD9266DD5BC69103E8380F9CB05647A57A389F94C51665477293FCC40C9703B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.243{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.243{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.243{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.229{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=18AA71ADF0A6AE8A28BF890BA88A4E42,SHA256=9ECC1728197A29950CA4A217C5B92E3771A413EE4BF4447F4C319636B591B883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.211{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.211{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.211{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.210{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.210{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.210{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C100-000000008502}4156C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.209{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000752521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.179{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0xcbf33e69) 13241300x8000000000000000752520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.174{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000752519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.171{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000752518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.171{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\CountDWORD (0x00000001) 13241300x8000000000000000752517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.171{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\0SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 13241300x8000000000000000752516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\AutoRunAlwaysDisableBinary Data 13241300x8000000000000000752515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2022-10-17 09:06:52.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName@cdrom.inf,%%ISO_Generic_FriendlyName%%;Microsoft Virtual DVD-ROM 13241300x8000000000000000752514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localInvDB-DriverVerSetValue2022-10-17 09:06:52.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverVersion10.0.14393.5006 10341000x8000000000000000752513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.165{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2B-634D-C000-000000008502}4992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.132{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.132{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.129{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.129{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 13241300x8000000000000000752503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.119{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000752502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.119{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\CountDWORD (0x00000001) 13241300x8000000000000000752501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.119{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\0{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01 13241300x8000000000000000752500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.119{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\PnpInterface\5DWORD (0x00000001) 13241300x8000000000000000752499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:06:52.119{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\BusTypeDWORD (0x0000000f) 13241300x8000000000000000752498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localInvDB-DriverVerSetValue2022-10-17 09:06:52.118{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.5291 10341000x8000000000000000518407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.977{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B2D-634D-8700-000000008502}3904C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.977{5C0BDE06-1A79-634D-1500-000000008502}10362504C:\Windows\system32\svchost.exe{5C0BDE06-1B2D-634D-8700-000000008502}3904C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.977{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.977{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000518403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:52.226{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.582{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314659E21874D05CB9C131DA2166ACB6,SHA256=9A43B07AECB431280EE14F640E12435F0CAD254B1D0D66F15CD591F73D8600A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.775{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D232F7852E5020E3EADC8F7666677D5,SHA256=8BE6A50B309D29F0A7BBB4532416BF034A59751700171F753BF2C00799EFD481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.681{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.666{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.650{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000752720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000752719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.634{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2605F7C1162154EFD4DC287B4A213F91,SHA256=13A0774B02151AE4A323EFDFE091D408C70A7C6469C90CC2DD8FA6F63B583D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.572{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6843C2680C11A69BC5E10D765EA5DDA1,SHA256=794885E0A712A18B6D19529CEBCC658AC3D45C2E628C29DE29F1B3A514B2D0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.511{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.510{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.509{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.509{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.509{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.508{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.508{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.504{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000752709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.484{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.460{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.454{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.453{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.453{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.453{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.453{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.453{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.450{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000752700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.447{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.447{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.447{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.446{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.437{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.437{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.436{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.436{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.436{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.435{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.430{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.430{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.429{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.429{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.429{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.428{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.424{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.423{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.422{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.422{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.422{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.422{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.417{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.416{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.415{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.415{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.415{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.414{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.401{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.399{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.399{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.371{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.371{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.371{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.371{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.368{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.368{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.317{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.317{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.316{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.316{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.316{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.316{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.314{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.314{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.313{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.313{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.313{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.313{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.311{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.311{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.311{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.311{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.308{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.308{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.307{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7FF8A39FC1E91F0EC18E53B66581CB,SHA256=F06E1ED1FAC94A7CBAC2C2F41DC4436F826DE0E1203C14802FFEAB787728E736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.276{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.276{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.275{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.275{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.275{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.274{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.266{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.265{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.265{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.255{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:53.127{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACB16D54D14A21A5F61238F8057F689E,SHA256=5F46225DBD3F81D6AE6502626D823A0F6C0CC4F08F20E154A1EE1D6789D40A6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.255{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.255{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.254{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.254{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.249{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.249{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.248{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.248{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.248{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.247{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.243{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.242{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.241{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.235{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18369F9A979265978236DA3E25B6B671,SHA256=3DBA53B51787D46825836F91AB67798750D24D727150438212DC953BBD377FE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.227{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.227{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.226{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.226{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.225{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.225{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.218{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.218{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.217{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.217{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.217{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.217{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.212{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.211{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.210{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.208{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.207{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.207{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.137{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.121{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.106{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:54.678{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EA5C49AC4E3E8607926C693584668C,SHA256=D176E91B4912069296EA28184DC0FD38ABD335C5AF64E696B52F67595A4D00CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.457{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.451{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.419{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.419{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.419{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.303{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0180E3A277E89D52B727D8C04669661,SHA256=9FE1BA904BF1C0FF27222DECDFAFDA359AC5B92B09F47682E12DB78D4AA756A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.193{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:55.871{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC2DD3640B489F16F68D3766C2F4FA3,SHA256=8AC49B1B30E2E98A7B7B93347EF66525F8F8C98C83633C6F8AC4C559BFDC05AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.895{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.895{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.879{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.879{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.879{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.879{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.364{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0EB3C217EDA7FE819495C67DD804CD,SHA256=2BCB5AA6C9163107E397E15781935F3B0EE5DA6707ACE727D1EF37FD676D66EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:55.107{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF4C92A1CCF2D5ABDAF661BCE676302C,SHA256=DBA3DD25BD3676BF0DEE99CFC862DA98D1FA157EF8FABB265CC3E4E86EC10B4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:53.885{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57731-false52.238.248.7-443https 354300x8000000000000000752774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:52.559{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57730-false20.54.89.106-443https 23542300x8000000000000000752773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.046{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=076478D07B723FFFC3B551F8826840EF,SHA256=072396FB4836315E4984DB30F1E9938A90C144041558481B713E859288185F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:56.973{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D869826FD8EABADFB4D87F3B8B5951,SHA256=93E8EF4290589AD0D3C5AA3378152F99C8FD06C6ECC35D49FC649AF8A98C1D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.955{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6901590862C08E17D885116739112490,SHA256=EBE914BC823185B62A373142FABF32363A8653D3BAA9ACBB66171EF412F8079F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.953{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.953{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.953{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.935{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1A13BCF63E68F9E24EB1246DF72BCB,SHA256=5B6ABD0C6DBBBEADE3E71C64B3BA09880CBE09BFDE9338D06E4A098E19679462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.931{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.931{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.929{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51980B00CA4D89F468C5F26A1A5CA96,SHA256=9EF688D462478DA31F962CF0BB92436D17D1C76A46E906699D1B137BF0D901A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.915{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.915{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.915{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.911{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.910{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.910{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.910{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.909{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.909{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.907{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.902{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.901{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.850{A78D3DEB-1A7C-634D-1600-000000008502}12362092C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000752902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.841{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.841{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.841{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.837{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.837{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.837{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.820{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.820{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.817{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.816{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.811{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.808{A78D3DEB-1A7C-634D-1600-000000008502}12362092C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.808{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.785{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.785{A78D3DEB-1B30-634D-D100-000000008502}44204416C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+1b750|C:\Program Files\Mozilla Firefox\firefox.exe+196c9|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.770{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.772{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=FAED69010377AF73D19BF070833DA674,SHA256=094990F2727BAAFC51D74571EA32C18CEFCFB6C66B80EB91F3952C007CE9FC31,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000752879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.740{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.740{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.740{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.740{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.729{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.729{A78D3DEB-1B30-634D-CC00-000000008502}5668860C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+1d12b|C:\Program Files\Mozilla Firefox\firefox.exe+196c9|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000752873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.729{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdateC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2MediumMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate 10341000x8000000000000000752872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.727{A78D3DEB-1B30-634D-CC00-000000008502}5668860C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+1b750|C:\Program Files\Mozilla Firefox\firefox.exe+196c9|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.724{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=D5C1CED683E148E763DC233FD345C7E8,SHA256=D686A3DFCE012CD55C49B8D62EE3D80E42293B674F825617352FFC1D77F528B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.721{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.721{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.693{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-D000-000000008502}4336C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.691{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-D000-000000008502}4336C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.690{A78D3DEB-1B30-634D-C500-000000008502}61046092C:\Windows\system32\devicecensus.exe{A78D3DEB-1B30-634D-D000-000000008502}4336C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\devicecensus.exe+15de|C:\Windows\system32\devicecensus.exe+24a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.690{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.689{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.689{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.689{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.689{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.689{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.688{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.686{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.686{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.686{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.685{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.685{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.685{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2F-634D-C400-000000008502}5372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.643{A78D3DEB-1B30-634D-CF00-000000008502}21602120C:\Windows\system32\conhost.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.628{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.628{A78D3DEB-1B30-634D-CD00-000000008502}41485732C:\Windows\system32\conhost.exe{A78D3DEB-1B30-634D-C700-000000008502}5248C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.612{A78D3DEB-1B30-634D-CE00-000000008502}49884548C:\Windows\system32\conhost.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.612{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.612{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.612{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.612{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7C-634D-1600-000000008502}12362084C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-CC00-000000008502}5668C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7C-634D-1600-000000008502}12362092C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CE00-000000008502}4988C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CD00-000000008502}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.596{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-CB00-000000008502}3364C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-CB00-000000008502}3364C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-C800-000000008502}4300C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7C-634D-1600-000000008502}12361372C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C800-000000008502}4300C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C900-000000008502}4284C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B30-634D-C700-000000008502}5248C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7C-634D-1600-000000008502}12362296C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C500-000000008502}6104C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-C700-000000008502}5248C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.581{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.456{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD49607C87ED108CC62AE339A80EE6F,SHA256=48761D74C94B6ED473255CE0B48FFF3F2D8830B7A3B6756E23AE47528229D548,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:54.218{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57732-false72.21.81.240-80http 23542300x8000000000000000752783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.145{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A33A3FBCB5146B1A1DF3212FE22519F9,SHA256=D2D27A6E6126AC26E06CAD4D456C8C4C745B88C2DEBAE5E70A9B3FA845CB5C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.978{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2ed25.TMPMD5=D45A52C72CA8B3C20F77F3778A6BC23D,SHA256=85040285E45EF53FC8A3AB8DA420E7BD8FC29048AB44C9358933D6F4C059F8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.900{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=54EF9938B3F013D09351638B9C776A8D,SHA256=C711E98E44C1C5DE85E39B79E9294BD6E1A8C607CE8811583DB200D04C1ACE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.498{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EB609F1E55676F01D6A591FCDD6865,SHA256=6113782F63ADE944E381D455FB3F04285AE88F80A5437CBC3EA06DDF31F6066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.495{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE5AC448866CD0C2AA931353FB697E8,SHA256=3C6B5CA2B6F071273455CFD86550A726C62F8629EAEFC0025FB2136121FF1F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:57.223{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D841EDB098A1B4DDF839E757BD2E44A,SHA256=3DBE5C98934AEA7014402A74EDDD007AE712E0146289D711A9A60DE843E07153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.329{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.329{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.329{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.319{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.318{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.318{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D200-000000008502}5792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.302{A78D3DEB-1A7C-634D-1400-000000008502}10721540C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.243{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000752953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:55.093{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60035- 10341000x8000000000000000752952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.203{A78D3DEB-1A7C-634D-1400-000000008502}10721996C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.178{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B31-634D-D300-000000008502}6068C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000752950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.177{A78D3DEB-1A7C-634D-1600-000000008502}12361372C:\Windows\system32\svchost.exe{A78D3DEB-1B31-634D-D300-000000008502}6068C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.176{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.176{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.021{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.020{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000752944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.019{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.018{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.018{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.018{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000752933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.018{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B30-634D-CF00-000000008502}2160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000752932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.013{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2e95c.TMPMD5=F648F3EA0B2FE714D398A11ED1CD1185,SHA256=6EF05D0485E1C5D7BFFF7C8DB905FD463E13C12F9646FAEC837F7656F2762344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.964{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000752980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.898{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.883{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.867{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.867{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000752976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.664{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.570{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DC733068B6D0BF9F89BB4EF56154B4,SHA256=476A926770F5FC05AB7CB03D9DAB71D7A98021E5002BCDA70185DCEC5E4E881B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:58.065{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5100A2E89EAF9A9EE920E4125A4953DA,SHA256=D9DF3A8D19DCCDC2A21118D9DD8F2B6AC690218EAEE06AF1F120B0EDF2B04CB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000752974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:56.114{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56661- 23542300x8000000000000000752973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.230{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD73315D50C1BFB279801D10EB48A5B3,SHA256=A6614F44B62EA09777B54E7E79F7C56A44B533927071CA9400B8907C203A8B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.071{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2ed83.TMPMD5=523C2575A285A499F28CE5F68B236D81,SHA256=357662894A084C44C704D6A497CB41A64C83F73010DE81AEFFAC9752AB8F0AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.024{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2ed54.TMPMD5=7F6DFD8C8E904F58F5D8C705E67CA442,SHA256=6DD33470C61E8C5C986903754F4A4A105864EAA9850E052C3ACD5408ACE0D668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.765{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\ls-archive.sqlite-journalMD5=E8648B0F0D389D11348EC24A8EFC146A,SHA256=58FA63D04DB576177DB91DDA34AB3968E1D3ABF39CF81EF8E30903812A98B2D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.702{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\ls-archive.sqlite-journalMD5=5514AF2948148F1B431D00D3DE909B9D,SHA256=32676BE210FD515040D25846A6C7AC289701F531CB65C673F17E8493153B79AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.702{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0762BD77622567F711E3C12E96DEDD98,SHA256=6BD2FA51186C9B5ED8713C05E0D11B1BD734522AE2BE2492E769BFC9F166EF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.624{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\ls-archive.sqlite-journalMD5=07575A0B249E1CECB6F143708358B893,SHA256=41A780695EDBE8F2FEC23BAC4127078A381153D481F0D9844AAF33ACD5388313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.578{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage.sqlite-journalMD5=1AADC2427FCF93BDC503956BF0A6B620,SHA256=EBB0AE3A6219F2DDCCD6508E19784BCE40515FE09399B738001793DC3F087DC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:58.112{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:59.159{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-002MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:06:59.158{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF0BAEFFC5773CB604EBC31841FB5AE,SHA256=749085FC35723AF2281993CFEBEBF9D7F33921B34F2B7D21E59B19B4351E1E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.532{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\pending_pings\f25a5a40-4044-4b6d-9741-31a4f3e43217MD5=961432A305076EFC606F75862130E64E,SHA256=0FA534559B783984786A44DBAE44D10B0FC731243FFA97DD8B5C51432ABE3F3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.512{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.512{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.512{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000753059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.466{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.423{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F956751AEE47D800249F1F7878EC3D,SHA256=7252C0E635F7721AB620EA0D49C0C30A2F3A0D9712D2ECE18A4EC396ACF41A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.316{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57737-false52.167.17.97-443https 354300x8000000000000000753056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.294{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65211- 354300x8000000000000000753055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.240{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000753054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.151{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57735-false40.126.28.21-443https 354300x8000000000000000753053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.120{A78D3DEB-1B30-634D-CA00-000000008502}6084C:\Windows\System32\SIHClient.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57734-false20.54.89.106-443https 354300x8000000000000000753052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:57.078{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57733-false20.54.89.106-443https 10341000x8000000000000000753051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.244{A78D3DEB-1B30-634D-D100-000000008502}44206048C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000753050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:06:59.244{A78D3DEB-1B30-634D-D100-000000008502}4420\chrome.4420.0.26556673C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000753049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.244{A78D3DEB-1B30-634D-D100-000000008502}44203940C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000753048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-ConnectPipe2022-10-17 09:06:59.244{A78D3DEB-1B30-634D-D100-000000008502}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000753047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.229{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.229{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.229{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1B30-634D-D100-000000008502}44206048C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1B30-634D-D100-000000008502}44204204C:\Program Files\Mozilla Firefox\firefox.exe{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c87c3|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.220{A78D3DEB-1B33-634D-D400-000000008502}4228C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.265566734\1801832196" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 18615 -prefMapSize 230299 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4662898-32e0-4b3b-8f8b-7dfb4a9d0be2} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1832 1968b81d258 socketC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate 10341000x8000000000000000753036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.214{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.213{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000753009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:06:59.195{A78D3DEB-1B30-634D-D100-000000008502}4420\chrome.4420.0.26556673C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000753008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:06:59.195{A78D3DEB-1B30-634D-D100-000000008502}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000753007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.132{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=78FC906AE6645731F8F6FFE9CED24F7D,SHA256=A69CFC63F1BAC553B1C93AC203B532F974CE3A88896CCA486C4F2F692505FCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.101{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=0C117100E10355EC583E91D7BFC2BABE,SHA256=62692592E56F5E48FE6AEB85D882E5FF532CDC5925AB093891C08D5B83E18D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.101{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=0F145CC1A7C6AE35731369CA1774807F,SHA256=D7128F2E512EF8C85681757DC44D283425E90952EB86010323930A0C59FA25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.101{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=92F6B9B46C7D82C8B6B364417A8C6C0F,SHA256=98F6F183149E5076BD1682756D4ECD7D3F15E5B9C457C48324A2E4CB34D55EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.101{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=48E655DC45BC52549E5E10A5AF81D6E3,SHA256=33629B1AF4450894780031458FF39C79974D56B06C4375F9E0C23985F6CF194D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.101{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=F6AEDAC7A64A9FB2C1D0526F803D22D5,SHA256=C322098D4C4075D55BA3D0DDE121137DA2D8545708F80FDCDD7AFB0F3E781869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=06152291B53B87C13B40DA55579581C3,SHA256=A06B5EA0EDCFE9DAAE8D4F9A2B4E5470DE311FEB43DE8602282D63A4104FB71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=236F15C03A9846E7F9FEA1FC7D145A20,SHA256=C4D585A56F587AEB7010B9BF4F1F5320734B3BE4C2B59C5AD33012ED2977BC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=6ED2B45B7F3EA998A42E8BD2D605F46C,SHA256=650BA4BBB7F2086FF29D38AC6F809997E39F4AFD7A7676223B67CED760686751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=0B2AC1D61B6C87B78959535855BC9368,SHA256=0E487CC414FCB4736A82021203EA3C4CCC47ADCF0F56A4F0F33D67906E596C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=FA297D1B78345B1B041C6D92CBE43427,SHA256=85CA56BD5C8AD36E1609870DEC2720C3112935C8DC93F52DDC66EAE1601580FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.086{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=5AE1227D0A95177572292A0AA686B5F1,SHA256=17A2F79DB46DE73546FEDFBFDFBA5BC50BA3226E9253883858621C7EB4B18D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=9289AD47063E1E0D70C510EEACA5FACF,SHA256=F79E868CA76A53BF0BA08C6EFE8993A380696D0481813407CFF4DC94C1309817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=361BA8E0F03DE56E0EE04EFD2F1FE006,SHA256=FE94E3E13C5B831012B99889FBCD9B4633270C5786876C692E8F8692728A89F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=6E3E38BDCA8F2E3843F0E3EF58E64160,SHA256=A22167F0BA741C1C23F3BBE7A1B6FECFBAE9097F6A537DB237814DD2111743EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=17C2F2F4AD147D9A791D040688F6930D,SHA256=EB627FBC14CCFBFBD100087C1E5FA5AECE37C935DFC87B9F978FB3511F458B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=2383FD6CD0EF6A234AE6BE372C965C34,SHA256=685FB3D166E382E3BA45004D18D3BADF8119C8527DA859374F5BCDE59D876D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=4BD6B036986D5414BC15CF063E7E668B,SHA256=1773BBC01E74C794E2F97DCD3910BE1964A2A1118097D9F3822F71860A4E942C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.070{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=8D846F16C211D42A224658B6007DF1B4,SHA256=15AA46D21DFA5800D33DCB3A3384D7F641A6438020B0D5B564E3800B87D3CD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=999EAA3E7ACD7551A7015E2330A2B1D7,SHA256=423C81FF581EB72D73F39E3A2AFB177396519757A0DC02D3FB44C993C7CEDE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=4CB9243A2EA2ABE501F56139A5BE70B5,SHA256=725B947FFAAE1C7CCBBDD526A89D5DCA818407315308ECD611810725FE46E70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=724A4BA0264E3073FA66F044FFDF4E9B,SHA256=5B3CD01FA0A0C2CD77A5CB0EDFB71C57D3E96DD8B8C3ADAFF794E621B59C5ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=D175C1F971665BDC829D3E133A45803F,SHA256=7E5A0AD15AEB3CCFB6F1B94CB408FCA602A396BA669E6D0E0E4DB1D970753876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=CB5247758AC22662B32BB4C996009058,SHA256=A98BF41BC8CE4A2FB66B4D8F538EF834819E305D752325CCF28D4A5923B4073C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.054{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=938FDE141891AE1B414769EA69B2B30A,SHA256=F755564DAF65EDAD7B85BF3E099CC657CD9A20918242D73BEFCB5B93CF955C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000752982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.008{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j7uh5vvx.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:00.679{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0652828B9CAC00A83DF4A279502899D0,SHA256=FCDA35CD97D92D60DBEB7645EBE6AAA8B494DFD1B7325A3BA0B35F96F1D19F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.491{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57142- 354300x8000000000000000753085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.490{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58350- 354300x8000000000000000753084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.464{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57742-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000753083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.457{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57741-false142.250.191.163ord38s30-in-f3.1e100.net80http 354300x8000000000000000753082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.453{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49406- 354300x8000000000000000753081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.452{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50312- 354300x8000000000000000753080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.439{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64831- 354300x8000000000000000753079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.437{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61165- 10341000x8000000000000000518448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.771{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.766{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.759{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.753{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.751{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.746{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.745{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.741{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.739{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.733{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.726{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.724{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.711{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.687{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.682{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.662{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.657{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.615{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.554{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.524{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.513{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.498{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.494{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.491{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.488{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.485{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.465{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.458{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.444{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000518419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.437{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 23542300x8000000000000000518418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.229{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AA834919B7D52ABFC13C17861F1C5F,SHA256=B9EE4C0E6A14FC202DD5BE690780C102CD3A68973133EB4EA637D10BAAC3AC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:00.170{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.412{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57740-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000753077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.393{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local63314- 354300x8000000000000000753076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.183{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62567- 354300x8000000000000000753075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.843{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-57739-false127.0.0.1-57738- 354300x8000000000000000753074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:58.843{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-57739-false127.0.0.1-57738- 22542200x8000000000000000753073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.408{A78D3DEB-1B30-634D-D100-000000008502}4420prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.407{A78D3DEB-1B30-634D-D100-000000008502}4420prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000753113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.997{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.968{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.963{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.951{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.947{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.917{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.911{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.904{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.897{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.863{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.860{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000753099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.714{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=F8B247CFB2A4E21571E0C786C9E6D15C,SHA256=2D7D2D622853A1C33FEBC5BF1FCBA2AF90992E4532D2DBF2E1FE4EA9032FF5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.714{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=FBB1F0B01D6843EFC825272851FE6787,SHA256=1654F03D0D1AA98EC6BF667ABB8B7735CFB38EE680F913FA901D45AAD8A654D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.667{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02720A93C07CB83ABF87E75C51362B27,SHA256=0C9B837064B9C98978CFBC5BA51651FC6472DCFDAA8B20301B46ED3154AF6285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:01.405{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF610D9DFA5F5F038AA594195786AF2,SHA256=8A6B1275ACC92E36B31F5D1D2EB63D2BF5DEC1FA6E404D721A2873C7994AD0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.558{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=2954AA65C8E00ED53265B8EF7BA1DECF,SHA256=E55FF59F34605929F04C90A6EFCB07ECE83504CAC2A834F44C81184CFD3A5EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.511{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000753094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.495{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=74222130DAFA22CCD86D204F459FD493,SHA256=789BB11B7127A0BC0F566F76726B09F899B5A7D9E8363DABDF488E807C7BA917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.403{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage.sqlite-journalMD5=4776E401C7CAFCA412F3CE66253ECF51,SHA256=3C91237B9C62012EF4A58E95C21322740C6D4098F8B43E7E6D1319BBEC385464,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000753092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.500{A78D3DEB-1B30-634D-D100-000000008502}4420cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.498{A78D3DEB-1B30-634D-D100-000000008502}4420cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.494{A78D3DEB-1B30-634D-D100-000000008502}4420prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.460{A78D3DEB-1B30-634D-D100-000000008502}4420prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000753088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.038{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\ls-archive.sqlite-journalMD5=CA4CA9148030E4342143117D38B18106,SHA256=9D9CA784942719B78ED3C888C3F4A0DC5498DD4ED992CB4D980C36B701A498BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.875{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57744-false108.156.172.105server-108-156-172-105.cmh68.r.cloudfront.net443https 354300x8000000000000000753154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.874{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58115- 354300x8000000000000000753153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.874{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59462- 354300x8000000000000000753152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.872{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49753- 10341000x8000000000000000753151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.896{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.896{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=63C644CE3FBAC5906FC9B9AB705870F9,SHA256=579481CBD870817FE3A9EDA6289880EDD22FC3E27920311221524CED76D54BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.896{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=3B2FF24C4AAD3CADF828331DC423B88E,SHA256=13709DCC4F4A178E4CE9153EB4B4C2A4688AEF0A8965B788EC58E3E40B9526C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.882{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=D6BE31A752B4C18D76694E9DEBE55519,SHA256=74767299E0E6DF1E6EEB63E19DC7329FC59BE25F83FB581A6164C324AEAD5412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.882{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=1753630381F014EE87019C9E081CC6D6,SHA256=0C364A7BBC3F578414E57A6C4592CD94F7F2166FE858A66B27388FCE6E67697C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.882{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=B5635FA42FAE76453017CDCE54A4C8B5,SHA256=0155380AD554B85C2C19B5853C10FF28E1831A5751C935838D60E5C8047D7EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.882{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7FE574B5DD4A5A0CB8BB09DEA514B1DD,SHA256=3643C99F281E74D51DF3ACFA035EDE8B095346B713F93AEB54C9FD77F79427D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000753144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.838{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\SiteSecurityServiceState.txt2022-10-17 09:07:02.838 23542300x8000000000000000518450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:02.487{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE32FAA4A3CF7F1A120D2DD5E4F02BE9,SHA256=3AF3769B842A41E8F8516D6CF28D7104B0544A51A8D1E16A47D73D40AC2393B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.557{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.555{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.555{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000753139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.461{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\pending_pings\1602280e-e6cf-4bdc-9ed0-775af80491beMD5=6B279668A69ABD63888D5DD9CCA19096,SHA256=FC039F0652F12BB134D0D6A86EFF7933E56B05F0B9CDEC729D99070A05B74E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.453{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000753137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.429{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.350{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.348{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000753134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.329{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=45D2F58A15DF5C45E6961693D5226E4F,SHA256=618CD8F14A22A48281E8CD421138C8B9FFB7FBDA0ED27E49EE83A3226886945D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.327{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=8E9222010C52C6AA14E8674CFDE0EEFE,SHA256=298637D98819FEE7A8C431A331AB30C9E0624498A5E9B54CA9D7618F38819A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.325{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=CB5B1F5AF660EEE7483F8629F0960973,SHA256=5A89894A24C6ED915DE47FD04B5FF38D97A0EF6A181D95D4DF8CA9428EF48A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.323{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=CB5B1F5AF660EEE7483F8629F0960973,SHA256=5A89894A24C6ED915DE47FD04B5FF38D97A0EF6A181D95D4DF8CA9428EF48A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.252{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=40B41B1835C9B0B9F9E896156874CCBE,SHA256=97658DA991EB6EE49574F64CAE30144AA77B65EE2482B2AF200874B66FC8AD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.250{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=5EF0B269FC510DB1DBF1D7E745E1E498,SHA256=06FDCE2182379B946430320F68841F0D52BCE21FBD0B707003ACB4EFE9F662C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:00.191{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49351- 354300x8000000000000000753127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:00.191{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57982- 354300x8000000000000000753126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:06:59.503{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57743-false72.21.91.29-80http 23542300x8000000000000000753125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.098{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=10FF931A58E69EB6AD5B574CEF2582EC,SHA256=5DC094D030C007106AFA97A367AFDA832E540982D75554F9FD11C20AD4E3CB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.042{A78D3DEB-1B30-634D-D100-000000008502}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\6ooy0ty8.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=FD527358C36F29E084FCCF55DB84CD30,SHA256=8D085D5F33026CC2C051DE9A7AED0C5B70ACEA8FCE6480EC2C2C1857553F5B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.031{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.029{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.024{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.021{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.018{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.011{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.010{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.001{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.999{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000753170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:03.894{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A194FEFD4DDAECD2F6B319B991C8976,SHA256=8300349892EA79F09C9F0874CA815A241C58967B7B5667E614469D634A6D00CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.698{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.698{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.698{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.677{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.566{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51889693100E430972880FAAF82569D,SHA256=AC76A16F7B980A6615EEBB62B6CDF8B65F896C37D4B29FAAFC4E7EFFD5E73808,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.270{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57747-false72.21.91.29-80http 354300x8000000000000000753168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:02.202{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local50797- 354300x8000000000000000753167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.957{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57746-false104.123.153.192a104-123-153-192.deploy.static.akamaitechnologies.com80http 354300x8000000000000000753166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.939{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61107- 354300x8000000000000000753165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.939{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49832- 354300x8000000000000000753164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.937{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57112- 354300x8000000000000000753163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.919{A78D3DEB-1B30-634D-D100-000000008502}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57745-false34.160.144.191-443https 354300x8000000000000000753162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.907{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64025- 22542200x8000000000000000753161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.948{A78D3DEB-1B30-634D-D100-000000008502}4420a1887.dscq.akamai.net02600:1405:9000::684c:d633;2600:1405:9000::684c:d608;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.947{A78D3DEB-1B30-634D-D100-000000008502}4420a1887.dscq.akamai.net0104.123.153.144;104.123.153.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.946{A78D3DEB-1B30-634D-D100-000000008502}4420r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:104.123.153.192;::ffff:104.123.153.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.915{A78D3DEB-1B30-634D-D100-000000008502}4420prod.content-signature-chains.prod.webservices.mozgcp.net02600:1901:0:92a9::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000753157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:01.914{A78D3DEB-1B30-634D-D100-000000008502}4420prod.content-signature-chains.prod.webservices.mozgcp.net034.160.144.191;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000753156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:03.021{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B311655500502B74D7F12AD0C52671,SHA256=DDC9452988AE080EC638113EB5EF203E2998B4426B52785BE9AA558F0EDD797F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.991{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A3D9ECE51025F2E9E58BFA124CC84B,SHA256=C7E285DCDFEB295FA3D68BDEA7FD7C69E305FF09F3A69A516787814D6107C87A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.991{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.979{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.947{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.939{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.928{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.921{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.919{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.916{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.906{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.905{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.905{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000518456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:04.654{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043594A7ECAB44E1AAAEFE8EA9156E16,SHA256=2E2B44F6E494F9346FBEE60B27D531640F32A316D51322682003CB88B54425A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.389{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.388{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:04.243{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:05.940{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E14C66F6FB598C4B6A1CA5EAD32DF71,SHA256=DFBA694FE7B370B7BFDB8F10D1A14D7096CB10B49BAD7AA3C5F716CC66A90674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:05.746{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13365EE99B7026C1358DAF6B614E69EF,SHA256=D1F8C5E61AAF25B31635FF1C73D1AD7E7C81CF70836A86998DFC945E5193E36B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:03.247{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62173- 354300x8000000000000000753193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:03.247{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61482- 354300x8000000000000000753192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:03.247{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000753191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:05.006{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:05.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000753189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:05.002{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 354300x8000000000000000518457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:03.175{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:06.837{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC62DAF3E2432DCB44E8D87B2CB595B,SHA256=1D8F7648F7E6E39E1835743E00C0EDF6BCD5BEDE3F075458AA1A7D0B4EB98A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:07.031{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107DF6121D2ED2E6B84E2347754D30D6,SHA256=AED316859109522DF908CB3EF113012D2EEFAF860CA7589C58630A0AAD1FB37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:08.128{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF490F5775D9A343830D3B5DB089DC2,SHA256=5AB0BFFF5769EE86DA528EAC32DA0E8AB65716A9A55118909E8F587DAD913184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:08.334{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0B6945F67C310305FD753EA3F0196CA,SHA256=A9EC4A3147A1A6F6B336DDF0ECDACA048979EDA5C7D4470632E2FFCFC5EAD28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:08.038{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886B24A1C01F3BE8C55D4697D6B0ADD6,SHA256=8D5F24DE63369AB077023E70ABB053CE11F26D731673837ACFA79C5BBFA47CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:09.235{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1C97B3105B6196A30F91156F9CFF83,SHA256=7BCACC1667B5F60B9572D0EEFF050819EAD911CA6D1AAD91635D721D2C7B48D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:09.244{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F05BFED025158901192DFF1AB5687C7,SHA256=2047FCD31A49F8620D87F776B80304168435AD59FE7B5CD4071591911143313F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:10.344{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA767EB91C93BDA428D4D7DCD419B9C,SHA256=F28E8C8E7B66A7410F5A753B990C09BCAA7D935CD90CC1B9766B4805D78EA606,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000753203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1158SetValue2022-10-17 09:07:10.370{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x8000000000000000753202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1158SetValue2022-10-17 09:07:10.370{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x8000000000000000753201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT1158SetValue2022-10-17 09:07:10.370{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 354300x8000000000000000753200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:09.165{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:10.323{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02F273E52344D14EAE43F8B84420004,SHA256=32BA46399142EAFA10BFBE9563CDF165BB1E3B35F498FF491C453B48E246C1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:11.543{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74CC39479637B0A4D4055592E75E971,SHA256=85E08482F01D8EEE59B36165E7CC1C1821E33944E2437B7C6D5E2625A22C97CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:11.530{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000753205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:11.530{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000753204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:11.421{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA41D23BCF06BA9CF049AFC8897B2FF7,SHA256=DEC058D894B6DF6C8FB9B5C723E3DCE8B88E098C2ABDB54C3FFA8674661BDA43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:09.151{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:12.730{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF821CDE0ADB32D34C46CE6DB97F7499,SHA256=F484448930BE37C7A63E6CE94D082F039AAC8B671F528E517C1B932EDC1886B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:12.683{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0EB2033C5E2A9AC92A315DE8CAAD4570,SHA256=1959665AD4B5BFCB48F722986F936D31F1AD34D13B68B15F86588C7F6E1A99D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:12.517{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB0FDEFE81D62B4D7121D198187BF68,SHA256=E16CBF7A452C5358F069E5732E14169CC746A67DB7A79B3E3833CC9469EFCB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:13.851{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8849181B7D465FA7124A12413F2C0FF7,SHA256=F349E2EC5D8005515E990A581BF13C771D1CE4CA637D499E0187E9AE5023A566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:13.622{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7721C69082803180E912D8DD8E14B0D1,SHA256=8E65D0FE91295BA83D10749AC0763D3994F66D22E691EE464567371F212D2CDB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000753209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:07:13.278{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0xd886cdb0) 23542300x8000000000000000753212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:14.886{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-002MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:14.727{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BE6A7D8008E9DE2317F51D2B6890C4,SHA256=F9B2A40CA04156F285E956480CD4DDAB2C58E5B6BCAD30CC9662D28711C23D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:15.897{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:15.816{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C594745873DD5996DA8B2ED6AD8CC3C4,SHA256=99340DFE12EE3193E35DB15FBB8D877385ECF99A922A4AE45917650F8414F9EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:14.178{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:15.163{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FC28FB077D5F3BC67362A47677186,SHA256=057381DE8973F6F7C0996323F1C53DC1F590E3833059C06B200144B0D58DB6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:16.903{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC67E69F5208C5C8B913CC512AF8AEA,SHA256=280B2A66EF40A960A841C318AC709721C55BDE8F5D3102932E053A54D73B36EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:16.908{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:16.469{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CAE78D0EC8AF3CC8AB8A517054E0AA,SHA256=318AFDC85729F0DD666ADFFF2C7FB3E03BFAB8F0C2D8D31FEDD7C04C1CB42727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:15.164{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:17.995{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62952B1093C7DA1F6B5C990CD43EC44A,SHA256=183CA7C70C650EE86A71F0CAEE0B449F86603984217ED570F5F21C76202FBC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:17.551{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10FC5FF7B7253B448B355A43D95EA51,SHA256=2194FEC36080E246B51CEA59AD20B80C603600A474765B61EE57D09C55EBC3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:18.645{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1B8335C1656CD8E038EACAD743856,SHA256=7831CC80B7EC79A11C1402306A3F2E2D33D8B3AE88BE224FC9E29F6453A85D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:16.893{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000518475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:19.953{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC7CE736E78393A3309044265FE12A6,SHA256=567F235F64B14ED00F57C45810D4A553110BFC9EF925E06ABC3195A79A76E17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:19.083{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B827C07FA79D463803DA49B0516C752,SHA256=B18FE3EC930302DB9EF8388A7F28999B5E24CF21292139EB86A31D45CF384EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:19.340{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:20.174{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BD590710455BE80C63EB4B25470387,SHA256=7C0607BD849F151283A143B31D3B10100DD7EC035A6C9684456995C10FE006E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.628{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.625{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.623{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.619{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.618{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.616{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.614{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.612{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.611{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.605{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.601{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.596{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.590{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.579{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.576{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.568{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.565{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.543{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.510{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.498{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.491{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.483{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.474{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.468{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.463{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.456{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.448{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.434{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.429{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:20.425{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000753242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.998{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.991{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.990{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.982{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.980{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.978{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.928{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.923{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.916{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.908{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.902{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.892{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.886{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.878{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.871{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.836{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.833{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 23542300x8000000000000000753222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.478{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.259{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE8FC0BDA9E26B135C1F774034F506B,SHA256=F64725986A4B499BE4CA50DCCF28FA6A2FBC6939CB8F09FAFD63D0BB21A4950C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:21.142{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CB48C3ABB594454CEF1DD5E6C87F6,SHA256=68E5E02E2F359DCDC3A3B55AC32AB08590E48F8119A02DD5F4CAF9555D0F563E,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000753251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:07:22.932{A78D3DEB-1AE9-634D-9A00-000000008502}4876\UIA_PIPE_4876_00004d3dC:\Windows\Explorer.EXE 10341000x8000000000000000753250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.792{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.391{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.389{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 23542300x8000000000000000753247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.327{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7127AED33473F42071DFEA70413701CF,SHA256=F4617FD4DF4154AEFD5A6F1E6938812AF3360BE2EFF6E0E3C89DD535E50C9C42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:21.111{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:22.231{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3607234EEA9D469039F9F3EC5015F42,SHA256=A99A6A2317EE257A32EC3C251CCB862C90208B03E3A49AC58E80880D805F2BD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.016{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.014{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.005{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:22.001{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B4B-634D-D600-000000008502}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B4B-634D-D600-000000008502}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.772{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B4B-634D-D600-000000008502}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.773{A78D3DEB-1B4B-634D-D600-000000008502}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.415{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8EB10C3404F5B57FE1776393C9FC89,SHA256=789BE230B75EBC13A54D8DF1174812550DCA56F6ACF33C4AD1F9888DE48613E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:23.325{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702D15D60E41DEBF5102E8F125D6F1CC,SHA256=E1AA2A6E40CD6359FA71D696052A4BDF71ABDE09D5803C0F2EA9B34725272ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000753257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:21.579{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000753256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:23.070{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B4B-634D-D500-000000008502}2840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.969{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.949{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.943{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.936{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.928{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.924{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.617{A78D3DEB-1B4C-634D-D700-000000008502}60685072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.493{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D6BD57BB37D9BFA9F50154D9EA88A0,SHA256=C729D6F82029C85F5D227AF9F72248B679939D991C8FD066586AF17DEB371294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B4C-634D-D700-000000008502}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B4C-634D-D700-000000008502}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.461{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B4C-634D-D700-000000008502}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.462{A78D3DEB-1B4C-634D-D700-000000008502}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:24.418{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56214117EE7F80990952BD39A61E463E,SHA256=86347132306B90D2EB962CCE2010571090204D2EB26A22F63742FCB10E3B9FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.413{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.412{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 23542300x8000000000000000753274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.128{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=811AB001457560AC8369749FE2D73C93,SHA256=DB60E6ED7481AD8578C06461E406422A5FE219E5460343666273686910EB3136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.154{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57753-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000753314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:24.154{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57753-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000753313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.620{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B17DDFF03C471688E3E4A585514636,SHA256=80417FAB824EC642F9898D39C223622E684BD0EA72D354DB1114846219062877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:25.500{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035BF501923FBB97BDB0BDF75DFB49ED,SHA256=72174412EA6F137C1DFE169EB5E3E74EF80A54740DCA8356A2D220CEDBE6A85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.216{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1CC9D3D07384836CA85F65D5D16761E1,SHA256=57B3C05DF4CCB21A996DA656C03C0D6CB1435FF941EC1EB0EDE7C8553034B71D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.154{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B4D-634D-D800-000000008502}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.151{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.151{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.151{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.151{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B4D-634D-D800-000000008502}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.151{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.150{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B4D-634D-D800-000000008502}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.150{A78D3DEB-1B4D-634D-D800-000000008502}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000753303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.041{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.040{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.037{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.027{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.018{A78D3DEB-1AF5-634D-9E00-000000008502}54845604C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012910190) 10341000x8000000000000000753325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.990{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B4E-634D-D900-000000008502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.988{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.988{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.987{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.987{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.987{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B4E-634D-D900-000000008502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.987{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B4E-634D-D900-000000008502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.987{A78D3DEB-1B4E-634D-D900-000000008502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000753317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:25.261{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:26.673{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CF9FDAAB861A55A830672383026311,SHA256=D171738E85C5B5ABFE856572AD136835758EA2922668152A190DD838DC32CEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:26.596{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69BBBF718A27278F183C1761C94C127,SHA256=DCF54F54324C148ECFF7517F29EDC2A805CE98446769E97E09F9AAE43262DEE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B4F-634D-DA00-000000008502}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B4F-634D-DA00-000000008502}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.830{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B4F-634D-DA00-000000008502}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.831{A78D3DEB-1B4F-634D-DA00-000000008502}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.768{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06A309927BE20FAB1B87CD6CDF9A01,SHA256=4DD5EFD879BEA36282BAFE817A8CA4561767C6770E15AB531F3526E3B60DA306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:27.687{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44D9E5F418DBBDF40B1D5C809841BDA,SHA256=C11D58C11A772BC8CB851664F6BEE72ED5DBE6BB5A5594AC82012D3BF086B882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:27.159{A78D3DEB-1B4E-634D-D900-000000008502}47961548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000518513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:26.154{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.866{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABA8379C4B87805B08E9F982B701F65,SHA256=DFBF024B64D2C37D773C39DC9F7004A857094C86E24B626A7C3AD58DBF741D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:28.776{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76E25A52D0E7DC26ED711028B1AFDDD,SHA256=8253E459FEA9D14A05773BDE107796C409F07FA319E9B594C5BDB2C40F0F94D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.663{A78D3DEB-1B50-634D-DB00-000000008502}30165068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B50-634D-DB00-000000008502}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B50-634D-DB00-000000008502}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.507{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B50-634D-DB00-000000008502}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.508{A78D3DEB-1B50-634D-DB00-000000008502}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000753336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:28.073{A78D3DEB-1B4F-634D-DA00-000000008502}60842120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:29.952{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5893FC87297294801D554DF8FA5755C8,SHA256=2014757B5ECC00C614D07528A33CAAB6BA27BAC5F0C39D70474D12EC0850FE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:29.976{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48043D3A35B53C81F32D95AFF00D766E,SHA256=61AC5AD7B93B19537CEBEDEA62305715532C7E6E6C69CB7D3525A2E7457BAA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:29.562{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3EF950A2DE7B2B18F61A27F25B62272,SHA256=8A5A0536555A825903A86F9BE24EF520D88BCA2AB6826698D5C5EF92D42F857D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000753347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:07:29.265{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0xe20e2b1e) 10341000x8000000000000000753357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B52-634D-DC00-000000008502}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B52-634D-DC00-000000008502}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B52-634D-DC00-000000008502}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:30.118{A78D3DEB-1B52-634D-DC00-000000008502}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000753362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.089{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.089{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.086{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.086{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000753358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.037{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC4D88CEEE74459E45A8DEE8B82CE08,SHA256=F5199194C9BB84BE7971B8E429AC6183CCFC14C23AABC2894CB3F66DDC719CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:31.171{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB1709044DF9DDD80872B7C27B0148C,SHA256=EDDA7415AE4B7F16BB841E22F2D5F10B507A1AFA0A524AFCA1E3E44B469E2FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:32.118{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506AA3BB0385D2ABE17CE3E26E4EDE73,SHA256=2D91AD21413D204AAAC96AE51D338411CB4D316E56A15B2DF45DE2AFA6C5C3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:32.245{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A36712B2EA46E8B936065A05C20B503,SHA256=F6B1D6746F824513B4EFCD77AEB297B1DAE09DC2F65C3C5B716CFDAE5EF5C6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:33.240{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C25725C7BF178DF7FB4D2C6F28CFF,SHA256=F879DBB48D7911A7F034DC1EFC636BC3724A7020355BE81B460B470F994E1769,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:31.269{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000518520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:32.136{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:33.334{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F17A80C8F97EDF9F6B080F17699C7A,SHA256=A35458B740BE52F2EDB97ABF2237BADC99B9298B0DFD3C70B6459195D954AF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:34.213{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D75475576FE27D0739000EF80F5613,SHA256=64AF2EA797B03E67C07D63FB38EBD9B8E7A2EDE90FBF716E39DC8B3460B3A684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B56-634D-8900-000000008502}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B56-634D-8900-000000008502}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.786{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B56-634D-8900-000000008502}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.787{5C0BDE06-1B56-634D-8900-000000008502}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.443{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9070D877AE7AF3E00A8D7F1B7AD5D6C1,SHA256=DC07C771E0CFDD4C8A4CA2A6364373C9E9D6604B7A83E1AA7249CF8784434628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B56-634D-8800-000000008502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B56-634D-8800-000000008502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.271{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B56-634D-8800-000000008502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:34.272{5C0BDE06-1B56-634D-8800-000000008502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.548{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFB39CAD948EF76E79E1FFCFED4AE70,SHA256=E4182A20B04AEF85CEDF3BB3CF926EE1DD7968D15838D1DC681A4DFFE80F3EE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B57-634D-8A00-000000008502}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B57-634D-8A00-000000008502}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B57-634D-8A00-000000008502}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.456{5C0BDE06-1B57-634D-8A00-000000008502}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:35.306{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B91F9D50D4CA0F91A3FCE090F6F9E5B,SHA256=3C92EFF3A673A3DCE502E9D33AD74E8325015D8FEA20C5A382DA4F916DD33B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.409{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CFC75A95F56F9126CAAE68DBE082A73,SHA256=886CCF3D78262334506E3FD35A173AF87BC01C2D38AF30EF54551DC70D37751C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.072{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=368F9590FE22993B39C545A1361220CB,SHA256=737023186AD82503EFAA494ECDDCE535CB3F53372093C2F8CC6722274F20935E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:35.016{5C0BDE06-1B56-634D-8900-000000008502}40283908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.986{5C0BDE06-1B58-634D-8C00-000000008502}38803852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B58-634D-8C00-000000008502}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03052236C54D5C850C8E9E57C246475,SHA256=F9E6EADFEDE680B9CAEF085EEDCC1BFF85F61A19AF526629F7BA0AA3EC0CCCE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B58-634D-8C00-000000008502}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.736{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B58-634D-8C00-000000008502}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.737{5C0BDE06-1B58-634D-8C00-000000008502}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:36.382{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD594B515B22A6C268DFCC24DF4ACAFB,SHA256=29FA09517CA164D9303782B16778C98CFE0B41CF4D3A5423527509F704BFA18F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.377{5C0BDE06-1B58-634D-8B00-000000008502}38683896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.127{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B58-634D-8B00-000000008502}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.124{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.124{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.124{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.124{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.124{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B58-634D-8B00-000000008502}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.123{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B58-634D-8B00-000000008502}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:36.122{5C0BDE06-1B58-634D-8B00-000000008502}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.905{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6751D7E9ADF6382B1F5C7A7B42848F0,SHA256=8F40F729E012D31ACF935F00510CB3004C78271733492004E6E66A478C1A650D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.957{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C37716CE257EE1713748E399AA7EAE4,SHA256=569C2736251088787B75B12BB94EB2ACE6685D2EAA17C6B56286D85763FC3350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48763884C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.489{A78D3DEB-1AE9-634D-9A00-000000008502}48765240C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.458{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C890EB3226CA6A9A4D6DD261C8DB443,SHA256=782A29275BD4F63308000F0DDBA6AC6530251F5D5DAA34BE0EB5896D6ACC754C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.639{5C0BDE06-1B59-634D-8D00-000000008502}29761344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B59-634D-8D00-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B59-634D-8D00-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.421{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B59-634D-8D00-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.422{5C0BDE06-1B59-634D-8D00-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000753390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.361{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.361{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.361{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.287{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.286{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.284{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.284{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.284{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.283{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.228{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.226{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.226{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.225{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.116{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.116{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.007{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.007{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.007{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.007{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.007{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:36.991{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+6d0bf|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+1793bc|C:\Windows\System32\SHELL32.dll+1a0124|C:\Windows\System32\SHELL32.dll+2844f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+179660|C:\Windows\System32\SHELL32.dll+176a3e|C:\Windows\System32\SHELL32.dll+60691|C:\Windows\System32\SHELL32.dll+63576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000753369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:36.921{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe8.45Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=160E49FA853DB78E6148E9DC566D96D1,SHA256=5D7C97C8C0FC601CD232BFEE97F51DF83C0DC6519AE42ECF0D765E69EB56E1C3,IMPHASH=106BC08A539BA691222AAF2F52A2FC20{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000753400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:38.559{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A36FE589845D9ED281F7CE750D23C0D,SHA256=D860C248E93C5249E792D10A79E8A7B4F8E56FF6E52FED98B823BCB2B741D2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.767{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7660DFEB965083948E554A650D03133C,SHA256=3C1D3C48CB158DD6E14E5A851B28107B1AE0310797F977717422540834438A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.094{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B5A-634D-8E00-000000008502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.089{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.088{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.088{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.088{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1B5A-634D-8E00-000000008502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.088{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B5A-634D-8E00-000000008502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:38.087{5C0BDE06-1B5A-634D-8E00-000000008502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.643{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE19120B1F786EF26292AFBCA4BDAD2,SHA256=B74FBA023ED0BCFB952D3A89D35E56B1642699B51356B5CDC936C785CF9E8C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:37.143{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:39.032{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ADCD00DBE5F191B0E84C7D6BF98F90,SHA256=C8E96657335DF580A80FD057899EF45A5481FF0FC512848412EB9F4A60673FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.335{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.335{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.335{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.335{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.333{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.333{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.333{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.333{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.331{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:39.331{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000753401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:37.213{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:40.739{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2961A5EB2C6A0669B2A10A048548FD21,SHA256=D77E9667B07F19DE753B4F8B68C3F3E9A14DE984253B28D800AE4F2E96268DFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.709{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.706{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.702{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.688{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.688{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.682{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.681{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.679{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.676{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.671{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.661{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.658{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.653{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.632{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.627{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.613{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.606{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.579{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.542{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.526{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.519{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.509{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.500{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.491{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.479{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.464{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.453{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.431{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.423{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.420{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 23542300x8000000000000000518625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:40.119{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA557662064CFD3B1304AA99EE60378B,SHA256=0F81C0FC93D857F0D83070CCE4E328EA47244FED991F9321F839F9A967008123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.997{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.990{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.988{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.983{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.980{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.978{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.976{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.939{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.914{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.906{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.899{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.889{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.882{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.873{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.865{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.829{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.826{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x8000000000000000753414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:41.820{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA98E05F5FA8189DBA10447F6B1990D6,SHA256=CBECAFDAA9897342F012FEA604A35FE9B43029B559BF2D995C7A0A8EB35CF17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:41.776{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6ACE2490C4396D09D5A1B5A5BB85FB,SHA256=BFE224AFA7F09A4E3126A211DAB72FB85F57EF4FB1B0E05A391897CA60BFE3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.876{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9585430855ED9F3ECFDCB45241AC24FE,SHA256=7E9AFB10F35F48B325783A23E09F3BCBE1AD56E902379BCAF2312C2ED8EE165F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:42.814{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12A59CBF2B753160115CD1295062650,SHA256=8AD1BDED43A386BCAA414096E907B4AA8F69CBE7ADA7D630458CF5BB5D3CE23D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.381{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.379{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.012{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.009{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:42.000{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x8000000000000000753442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:43.993{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA22613692A81B7B4A39E421D3C2D3AD,SHA256=99B7E86B6C82EE1B2703C1445F38BB6917247EF8E71CA54A42D472A5958A924F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:43.910{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F2643160FC74429D7C560E64CDAC43,SHA256=477E9FB1D6853B45BA5E99D8277F6A47E438B1AEA73C829D03745D14C29D6E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:44.992{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A0AEDF1B4B1C2A3C01A9372C36CFC1,SHA256=F6A976C2EED6C8CE1E0B788381ED5AC75A3840CB2937EF3863BF5058EF63DBDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.978{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.972{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.964{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.959{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.955{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.953{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.950{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.949{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.947{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.945{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.430{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:44.429{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x8000000000000000518659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:42.214{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000753464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:43.243{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.073{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3880FFE0766212C7AF1B533E4FF864B,SHA256=39D814914AC3C8CA086008C75DDE567AB9D14F1BCF60405DCA5B4589EE280CF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.031{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.029{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.028{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.026{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.017{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000753457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:45.008{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x8000000000000000753466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:46.585{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7F1353CF9E0B7F9F9260751F7CCE5ED6,SHA256=45DEB541C4723CD611598FB98204F96AA2E9F9F689A63E7F0C11BED77CEE1356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:46.041{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A257AA59F4D098822A747285DA8257A,SHA256=98A2C1440D4AC42EB84138A20FB47B70BDBA7823B67382AA14FF18F1AB65A7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:46.081{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA87CD31A0F8C83A41F70A141C51337,SHA256=150874B5F95CBBBB774C96A0149D63B4667289125A33E9D3DA53C400095BDF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:47.391{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DD647995915CACC2E3B72EAD39D989,SHA256=2422645E11770CA9EB78DEEE495F80538DD30B3ABD26D288BFCE1084CB4A1BAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:47.381{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000753468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:47.381{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000753467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:47.132{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963539C6C37DF6271DC39E9A971BCC06,SHA256=2F0F7D0DABAD2BCA5501947C0B91FDBBCD4CCA8F60B5DFBB812DFD076A0A92CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:48.697{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4969ED51BA465A274E5336AD5A86977C,SHA256=301F4A8BFD5FA6F1F6FFCB7A3F7AAC454A63C501AD68F457F309003B6A72D0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:48.215{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45376A2FF959D5A2854B66CE62776C9,SHA256=2E318B66DBCBC63888BDA63CD6B4CCD61138ABCEE52526DCF12FC7D66A6D930F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:49.785{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A89A7FBD76F7C755EB394E7B679A6C3,SHA256=7F2BBEB4E04541EF34303D70EF171856AD8BA43437DCED981E342134AE2349A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:49.328{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184C386A600738935AB65C8CA43EC0B9,SHA256=4A334640C544B245678C2F2A04B9053A3DE0AC0BFDA9230407247685CB425EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:50.409{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3954F8C9217DEC485A22DA412C351926,SHA256=DC2376DCEED77A07CBAC6F8BF6B406B940D8EBCAEBACE98C71701D0E5FF092DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:48.199{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000753472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:49.216{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:51.504{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59CC1A9458FD2C7B49FF35A8D6E2BF5,SHA256=6CB2AB58F07D30B03AA47150F7AEDF0A239753CB8375F7280E667AD7C6361A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:51.084{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED547568BE68069D87D69BB8236932DF,SHA256=CC9ECD15D4394517527E20A13CD46EBF6E69DFEF54419BAF4D40F20ED4AF537C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:52.600{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817E559A33A8C362BFBBB467B441A3FA,SHA256=B3C85C04340F99EF13E0933B492713994F7B87B183DA1088203157EDD51B1F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:52.171{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66078E272102CAF42CC46E42B0E3CC7D,SHA256=D2470F8201723B32D965AB7DB5FB71AFBEFB1BC2B2702D859158290679A13B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:53.690{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC665A092DA4C50CDEFCB14786927210,SHA256=8986242C3075F08C513A10E73D456798DE05C1EDEC7C372B700A0D9F9543EC9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.633{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.617{5C0BDE06-1A79-634D-1500-000000008502}10362716C:\Windows\system32\svchost.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.369{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B5E0A8374C3EF4B147B75A73728B46,SHA256=6EA7CD08ADE7D638B2C22A82B868410BECF58185035C115F352F6931D0964AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:53.135{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B2BEC18CA8D338DA55A585D3DFED3AEC,SHA256=CDE57425AF2F7935EFF8A956203D752C66824A94C92EF7F38A28795BCA93CE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:54.776{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E4DF5FF389955A047A583C531D599A,SHA256=AD0E53A67A5FD6839F835814F397AAF91D7E177EB63F49EA988BFC37630E784C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.734{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7180D3EA84B3BB20582C96B6DABA0BDF,SHA256=586DBF7835DE75F7C99F4CED69512E4A0C29074ADDA881ECE5A005167A688785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.453{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D6A6377DB3728C942518475DF680C9,SHA256=93AFDC4130ECE069EC00AC9431FF528D49C0F7F74544AFDB0E8F91227EA13BC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.088{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.088{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.087{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.067{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.067{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.067{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000753480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:55.871{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23694684B2CAFCF81D1B8A146CE184F5,SHA256=43019857558AC5C6A4C872F1F0E9E3144C40BA3999A0B032B0BFDE39952A6AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:55.765{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8B2AA9F0BF19D59D469E6C1E2A2E5E,SHA256=6DFDCF09F4CF4395D74454C110BE49F5E1B3160A9FD3B0254E5C58721837E20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:55.430{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A93314A78FBE55768F2F8632B305CB2E,SHA256=26B8B28DCE5C67F205C7A15ECA148261673630FDAAD582496061641C4B1DE6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:54.326{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000518690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:54.136{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.969{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC9B1348952DB08173DE040AE3F054C,SHA256=4E431782F27FCCE144C18A5DEC81508407B9F2257381766499DAC64F5CFF7C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:56.984{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00393C4F792297A12F9B12983BF14610,SHA256=2A001693460FE5C061685BCC2DF09076FE773BDFCBF0C514EE30FCBF9006DCD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.667{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.667{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.667{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.657{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.657{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.657{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.354{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.339{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:56.106{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8D51B416F18BEA94348B777683243C2F,SHA256=677C5F8190A5E85D07F553DEDA376161142D7D6057333CAA8528692B8C03E53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:57.436{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F04B73E8B58273D0204A8EB7AE15C21C,SHA256=AADB9336E45624DDFBBA846BCB3F2873EE81D2496D5EEDBA92DE119901869823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:57.510{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:58.337{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3433027764BF151BB5170EBBBC8FEFA,SHA256=63B5E3448022B6D7408AAEAC3457A1B8401CEB5D24A8B78081565D998424359A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:58.066{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51DA97C25A31880E76A1CD35B9E3409,SHA256=F5277E21EB746098599B9C2E2ECB39597D0E90CEEB71D0BE186805CA23F525F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:58.086{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA1AB745A3C9FD04F97EAB6FD52AEEF,SHA256=3BC7124192DC99620499D00D5E37CF2004A789D67011150D26791A591AD16C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:59.167{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32EB7DB398BFEC7E0E8475FBE4A0482,SHA256=52373724D248E3F84C67763A05852695BE17188F55BC89CB00D9867AC70DEEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:07:59.170{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C208EC01C9FE405649B8CCAF1EA8677,SHA256=56648DFD1CEF44196786426B22E7F2FBE05B38FEC04349499E4C75E71A8B60CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.736{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.734{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.734{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.734{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.734{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.731{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.731{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000753501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:07:59.371{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:00.263{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7AADF29E74CBD8A33E61FDE7AEF4E3,SHA256=ADE733573894CABB2E4E752920A3CD3109E83CF3BF631CE8BAE65EFD38CCEA57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.795{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.790{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.787{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.783{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.778{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.777{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.774{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.772{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.769{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.767{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.765{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.761{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.759{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.748{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.723{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.720{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.702{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.697{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 23542300x8000000000000000518710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.683{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-003MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.666{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.619{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.599{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.589{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.577{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.559{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.543{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.534{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.517{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.501{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.469{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.460{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.457{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 23542300x8000000000000000518696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.255{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F5D657BC85F9EE83E6788D46734028,SHA256=6AC277B32A0611835D5762CCC7AC6C4098ACE00EC4E5B96A4344D1EE756374E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:01.940{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AEF13A0BAA06C2E453DE3D1888E244,SHA256=C4036790BDC8E8710CCF61646AC64ADD738FF140F4441329626CB537F58EE57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:01.687{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:00.131{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000753532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.998{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.996{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.990{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.988{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.986{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.948{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.939{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.912{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.904{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.898{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.889{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.883{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.871{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.866{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.815{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.812{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:01.355{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21418789B87BFC80E4AF593528EFF5A0,SHA256=69ABEA1337E9012300727F62A5E66A4A274972E9C90B76756BCA52C8E07D8BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:02.632{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A72403A8EFC33FB379946F8107A7CAB,SHA256=CB89711D4DEA18260F29995899DA9C3D3C6EB489AD4409A12D0B7EF03CBA90D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.561{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.559{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.524{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42837EA3B43422319ECBDB7E51A95B1F,SHA256=0BBA4030B41B57FE7A70956CD3DF3A08033E63F29A08C0A72B04F5ABB5AC053F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.020{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.017{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.010{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.007{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:02.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000518736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:03.813{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B191517D338FF00773FAF7881ABAE6B6,SHA256=828DE4C33A67D29AFC6F9667BAE73B551A4BDFA48EDA9EF97168963AB6959ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.952{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:03.619{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106FCDB3E3124E3E5687C160584FF43C,SHA256=4F797C468FE2329807E67EDDFE4CBCD1A2105638D7B0809C02B36C0D137526B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:03.664{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:03.429{5C0BDE06-1A78-634D-0D00-000000008502}804832C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:03.429{5C0BDE06-1A78-634D-0D00-000000008502}804832C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:04.896{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A14E958B3BC49D873466F2520FC9470,SHA256=0CEED1D2FABBAF92148665EB90A938B6A5E04C5FBF2DDBA02C33DB4833061C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.737{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF0311BC8FC6D32C27961EDAD4C41D3,SHA256=EEF10D66E0E6104B3998F26CA222A4F7A4322698B342B63CA995933541676D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.600{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.598{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.442{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AC2573DBAAC29BE541DDD0F5F94D93F0,SHA256=7561EE13C0E38D7043E30E38008867CF4B995D35D282460594C0A09CE82AEB0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.225{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.225{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.225{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.204{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:04.098{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC218AC5AAF455386BBD3F07FC0300B1,SHA256=44FB483275BFCBBB29D1ABF038F734CBFD721DA8307CAD30086CBA64826301F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:05.988{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461E044F054B05DEF8BB24CC502C6ED2,SHA256=F289B4C078EF672579B6599D8B11D6C57572F16F46C0DA489808BACCAA1A44C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.812{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE95C1E508733E3FFBEC9DDBC4BBB419,SHA256=CCDA0E8244BAD99E28FB28551076C2921D13E467C7D056145F5A2388BBE1FE80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.214{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.212{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.211{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.210{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.208{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.198{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.189{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.156{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.143{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.135{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.131{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.129{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.127{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.125{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.121{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.121{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.118{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.117{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.116{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:06.910{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFE80878DD46B732BD6992094B1D180,SHA256=7930843C8BE0554B4B8DB2E5CA470E7CB52A2B989A5C7CEE42459FE76ED65E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:05.224{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000753626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:05.215{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:07.290{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3741E9F0AACB187C992B6CADBA053A,SHA256=48E45EE6C4781656985A76F7167538C1CA6A49537C9AF8483032EEA26BA4E040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:08.953{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=219C4AA6C5FDF51A110DD0E30571FCCB,SHA256=32F76817C9BEA11D0151EF16F9A5B590C2A6FE4F91FFB26D0FBF50E936B9C643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:08.584{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9969A0FCDF030DD96FDCC49D568291A1,SHA256=2A65F74AC414E248D6C94CED20720D011D90646527A46E54035A9530B295E981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:08.003{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E563E167E0CCEB53951C5D4DB3F2E5,SHA256=0375628607ADDCF58BF53EB158A0F8A243114B71BFCA66A20D9D15427CFEEE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:09.686{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCCBB31D4B7916177F5BEF1DEF93158,SHA256=2E8E4C8A29729DF7FC60F18E45074B1E89D6B08BEEDF8A106633E396DC816B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:09.085{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F18A394E1DA81432872E61628D1DBBC,SHA256=4FA75F72AD19D917A28C72C261EC92F2219FCC6B2BFE52567D8B7D9C3B236DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=2EC9D969DE63184649A62FD7EDD4ECF4,SHA256=B999853FA5A8F79C728B5C9A9B1F92D825D0B1DC05B25CC79FE081859172FF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.948{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=2EC9D969DE63184649A62FD7EDD4ECF4,SHA256=B999853FA5A8F79C728B5C9A9B1F92D825D0B1DC05B25CC79FE081859172FF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.768{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8C1E8D250EECD02842A245FC1B9755,SHA256=E1D0599E9DD438B86C4929742BB611694F51EB819E2A96C85AFB1E0A198CBB18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:08.800{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57762-false52.238.248.7-443https 23542300x8000000000000000753630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:10.179{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2EFFE85B4C42A80267C9A7E60D21BA,SHA256=E03A0C856D91F454C735747CE0F4BECCD35F5653F2E141F40A0055A3047B9AAC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000518758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.705{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x8000000000000000518757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.690{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x8000000000000000518756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.690{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.690{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.690{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000518753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x8000000000000000518752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x8000000000000000518751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x8000000000000000518750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x8000000000000000518749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x8000000000000000518748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x8000000000000000518747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006285) 13241300x8000000000000000518746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.674{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006284) 13241300x8000000000000000518745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.643{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x8000000000000000518744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:10.643{5C0BDE06-1B69-634D-8F00-000000008502}2776NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:11.870{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACBDD768AF772A405E195E13B7C4970,SHA256=EB111B02D943CAAB95D6BEB0654765DA8833A5641D911B88B980C28C4149018B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:11.776{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=011A8E59A31F0B1AB9F95142E16AFB6A,SHA256=926E65AEDB3D057A20FF2C546AB598537E06C451E9E72A6F5028FAFF4E0C56F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:10.405{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:11.266{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F847127647B2B9711773053C736676E,SHA256=7258781CDB3113390EA104EAA9D3757C723AEFBB5088527B2FEFFD54900EBE55,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000518769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x8000000000000000518768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25222 25228 25238 25248 25268 25312 25322 25360 25366 25382 13241300x8000000000000000518767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006287) 13241300x8000000000000000518766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006286) 13241300x8000000000000000518765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x0000632d) 13241300x8000000000000000518764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x0000632c) 13241300x8000000000000000518763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x0000632d) 13241300x8000000000000000518762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:10.995{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x0000632c) 23542300x8000000000000000518773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:12.875{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0295F8AB3F275D611A9395AC72619D,SHA256=51DDB8D636433A2AD48EEF0DA84F596510DCF02D1490BBA766F3C0513B4D3FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:12.791{A78D3DEB-1B58-634D-DD00-000000008502}364ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=712F8144D5C3C49688C01F66A964583C,SHA256=E9535B3272C4622954685B09EDEAFA4A0EE0457FE33AF4B8DB7F1788C4981F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:12.354{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD358AE0F698583B444AD2ABFC21F789,SHA256=58242DF670BD7476597B5F1286A61ADD047CFCB4DA7E410BD3A1CACE44C11A77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:11.074{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:13.968{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD22B1F5A6AEC27B0A38E9F76AEC25A,SHA256=C3291D58B9A096E621D2283125CDCF2FF0290C5A52E9D98A7326A45B0763D439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:13.451{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEE2C2E7E6708F9CF19FCEEB29EEC15,SHA256=738AAE36E821591DD4459649E704B00170C59945FE750C59EE9B1942840309F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:14.546{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94472B4C4EEDBA71D97364AC5D1806A6,SHA256=CD2F68BC397025574104D8889E2F0A715BC5F2D678DCA5C5CD444A0F3BB6B484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:15.639{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E83886C2D13F8C0535282D1FF5BBFA,SHA256=2F6F8A0DAE23169A6B387E6F292A77B9B17C4CCD8E0F48F99C281DCD0E31EBBE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000518788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x8000000000000000518787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x8000000000000000518786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:1473079808,HighDateTime:30948602***Binary mof compiled successfully 13241300x8000000000000000518785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000518784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x8000000000000000518783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000518782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x8000000000000000518781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000518780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x8000000000000000518779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:2060133003,HighDateTime:30956657***Binary mof compiled successfully 13241300x8000000000000000518778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:750188612,HighDateTime:30969326***Binary mof compiled successfully 12241200x8000000000000000518777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashDeleteKey2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x8000000000000000518776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17Suspicious,ImageBeginWithBackslashSetValue2022-10-17 09:08:15.713{5C0BDE06-1B69-634D-8F00-000000008502}2776\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 23542300x8000000000000000518775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:15.167{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AA0A2D0D2975465542235AC43FBD40,SHA256=177243E6B34F5D9D54F2A86EE57F9CBFB8FE4EBF0C9ACC9D6FDB803C758C6737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:16.701{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30334E6A5874D33713F732155331B71C,SHA256=7EAD4B76B8370E5BCBE6B9CC3E53C87C7BFA455D867248B1B9B3C67E450386F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:16.929{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:16.352{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5636B58025EA0BC98879965DDD5DB17B,SHA256=AB91169A97583C00F87FA3AA005F956760290F9178443A07BAD7E6D5D030537B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:16.379{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-003MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:17.801{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F89D1C47FF3856DB49B6124D87E1F83,SHA256=37820C6403E0A4D27E40C1BBA4F5704A8BF67C70AD6CBD4B98E233E25CEA9C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:17.578{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD29F6132954426356C578C244B19ACD,SHA256=42C56B0DE524C7D92F3336EC2F1226F66C20DC7DA55C21A3B9F9EDC24B60DC6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:16.357{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000753642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:17.379{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000753641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:17.253{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e207-0xfea899a1) 23542300x8000000000000000753650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.888{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DEC19BB85910AA6952E9D99B0168AB,SHA256=EBBEF79692849A813A9E6B66341C17A3F34106BC0855C5E978482705F538C8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:18.764{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FD4488B22D70509168B152BBA20897,SHA256=010036C01B79130A4D4EA381C190D11614622C4851693FB592275ADB06304E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.654{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.063{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.063{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.061{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:18.061{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000753652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:19.966{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A86A158A0E7CCA5E265E27E4DA2ECB,SHA256=23115694D0F2AB15F43E4453D41C6B45A4581BD146EA8251B8490167847FE8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:19.860{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCEC78F69FA1B29AD5A22940CBA824E,SHA256=E8DB87531F17660CA3305AFEE91B9CD448AD1C86C67E60C7E22A6ED1BE1FCA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:19.794{A78D3DEB-1B58-634D-DD00-000000008502}364ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-10-17_090812MD5=F4172C7A53F4C30AAC64D0FEC0834CDD,SHA256=82756D920D198007748CF7B60BD0F8F32C56920833F9A7FD96B7A5F6E307455B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:16.914{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000518825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.631{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.628{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.626{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.623{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.622{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.619{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.619{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.617{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.615{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.613{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.610{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.608{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.605{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.591{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.586{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.579{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.577{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.561{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.530{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.516{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.507{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.500{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.490{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.477{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.468{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.459{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.450{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.438{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.432{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 10341000x8000000000000000518796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:20.426{5C0BDE06-1A79-634D-1E00-000000008502}19402884C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013000190) 354300x8000000000000000518795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:17.070{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:21.139{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7A7A8D83BC68A25E2297A63A5FD600,SHA256=6C3A2E5D71E1793FEEFE69C7E1E71FA5BE9E2C1A31C9D61EE981B7911396A7EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.973{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.966{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.938{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.920{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.907{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.894{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.868{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.850{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.842{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.792{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.789{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.465{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.056{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34948D717DBC5ECC2A7265806B90375F,SHA256=2C0C9C0B389892DB9596A42EA5379184D3CD56EA7A60B6F439DDE2AF5C60C15F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000753725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.605{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000753724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:21.370{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57765-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000753723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.723{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000753722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.723{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000753721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.723{A78D3DEB-1AE9-634D-9A00-000000008502}48762332C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.723{A78D3DEB-1AE9-634D-9A00-000000008502}48762332C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000753718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000753717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000753716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE8-634D-9000-000000008502}43404376C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000753715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.691{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.676{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.676{A78D3DEB-1AE9-634D-9A00-000000008502}48764908C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.676{A78D3DEB-1AE9-634D-9A00-000000008502}48764908C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.676{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000753709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.676{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000753708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0D00-000000008502}9082948C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1AE9-634D-9A00-000000008502}48765176C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.660{A78D3DEB-1AE9-634D-9A00-000000008502}48765176C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.645{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.645{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.629{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.640{A78D3DEB-1B86-634D-DF00-000000008502}5756C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000753681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.509{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.506{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.131{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C39370764D271D51396D1F72D0C560,SHA256=2E701F94DA8125B669A7C40D0C6C259018F9851754BC088253B9B9DBD9E0EE50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.067{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.064{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000518827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:22.254{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCA8708E0F8B2E807BE36FC8DC5BF0D,SHA256=09F63C0DFA6AE46BA3220040DC7D1E299E6653D9E5E66479D4B375C89BFEE434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.054{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.049{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.043{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.029{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.027{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.020{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.016{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.015{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:22.013{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000753768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.956{A78D3DEB-1B58-634D-DD00-000000008502}364ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-10-17_090812MD5=1E393D63758AB5540E7CE13F4BB7062B,SHA256=995551C71EBC4384799928EF899FD20191CA01A56C758E16A33F3BF0F6D12770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.956{A78D3DEB-1B58-634D-DD00-000000008502}364ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.831{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000753765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.831{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000753764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.831{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.831{A78D3DEB-1AE9-634D-9A00-000000008502}48765416C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.831{A78D3DEB-1AE9-634D-9A00-000000008502}48765416C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765116C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765116C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48764968C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.816{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.784{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B87-634D-E000-000000008502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B87-634D-E000-000000008502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.753{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B87-634D-E000-000000008502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.754{A78D3DEB-1B87-634D-E000-000000008502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.706{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5857522E075B4ED78A807BE9C37FE81E,SHA256=23620F6620F953B4068AE7A061EB37F4FFC76EB4E51611C1BE93D2A9F98A0AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.182{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3413A90CE94B0A332D517384214F190A,SHA256=A14C54FA3E4D89E1508D735923D5C848A74643CBBB7DD0957BFE552D277CE035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.180{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FF181A4A88DFAEC1352C99E62073F36C,SHA256=A050AED9D876F7BB722272859A0BD7C152C3EE4ABAAEDA13C9B642FA8F521B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000753740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.179{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9816E3EB490CD074B82BD93B55120BAD,SHA256=5EEDE9F277D02254A1E1361A551ABCE6418044E984458ABEF0DA58DDA8C21CBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.160{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.160{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.157{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.147{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:23.147{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 354300x8000000000000000518829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:22.176{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:23.355{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F42EB1C4C95C3C3DD6898465D9880F,SHA256=9F2915BF11CCF48F1313F868A1A936311EB1B3DC2D21CA7696E99522CEB4BC55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.990{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.991{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.670{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=07DA84D81129B3003807551DA05BE5B9,SHA256=CEC9E353684DB4CAC3402A59D0A634DAB61B7FB4EBAE0C7B387303843EBA6A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.592{A78D3DEB-1B88-634D-E100-000000008502}37405980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.538{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.536{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B88-634D-E100-000000008502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B88-634D-E100-000000008502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000753771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AAFEF25A544C4C92C169AA55B9E471,SHA256=78E79499D387E4A08EDE29120ACC8E05387EBA842F0EB07B54F6B984A0BD9DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.380{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B88-634D-E100-000000008502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.382{A78D3DEB-1B88-634D-E100-000000008502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:24.436{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995E8FF50A36C873021637AF158AFC74,SHA256=7B162E024C4B57BA2133A7C82000653E5E98A7BF886E88FE8499FD45AFA34C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:25.532{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4386E346AA04EF994AAC29DFAD9C3CE5,SHA256=2D70B4A658B163F7BDE96563981F050C3B285EF256848DF681998A6DAF2EF4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.981{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000753817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.159{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57767-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000753816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:24.159{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57767-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000753815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.559{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986E4BFDAFAD071F149F3353F8C235C2,SHA256=4F528623BEE3C60A6D68F5A6B4E7DF858BD328A3CFDEA192E05C1CBA98A2119F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.188{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.188{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.188{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.187{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.185{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.185{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B88-634D-E200-000000008502}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000753808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.175{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.168{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.168{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.166{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.163{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.150{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.139{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.104{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.095{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.084{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.078{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.076{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.073{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.069{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.064{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.063{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.060{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.057{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:25.053{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000753974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B8A-634D-E300-000000008502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B8A-634D-E300-000000008502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.949{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B8A-634D-E300-000000008502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.950{A78D3DEB-1B8A-634D-E300-000000008502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000753966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.637{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28708F53B80259D4E5516771976F3CAC,SHA256=526E74788A875DB1DC3999B9D5B199832C7C922C7EE1258C11655EFCBF10FF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:26.615{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B77AB311178BEDC96C33D6E276E53F9,SHA256=A7CEC789391C8242F6579D954E4426FB6BF6D8AD4D21AE4176CB12FB2C8EEA8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.543{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.527{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.512{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000753928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1B2D-634D-C300-000000008502}42165308C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000753927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977E129F28AB481067A91310FAC09326,SHA256=EEF8DB3DAA8B850BB0A07E46F6298305A873DB960ED9DFC464F0F9FA703E5F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.496{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.480{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.465{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.324{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.308{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.293{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.277{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.262{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.246{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.230{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.215{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000753987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.871{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57768-false20.83.81.165-443https 354300x8000000000000000753986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:26.772{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56241- 10341000x8000000000000000753985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.873{A78D3DEB-1B8B-634D-E400-000000008502}15486056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000753984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.716{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54DDC9F9DF3BE1B114A24023077D227,SHA256=2390EE12E4EBBA3FA9B02513C97AF85E1178D3FFE42AF2CAB41660253BF8745F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B8B-634D-E400-000000008502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1B8B-634D-E400-000000008502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.638{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B8B-634D-E400-000000008502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.639{A78D3DEB-1B8B-634D-E400-000000008502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:27.710{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6E29A0B28DF22248BE2B830A56E600,SHA256=F2499DF8C199DA6740C64A20F52B45C67AD2261899FA702D7FBD5CD2165CCAAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000753975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.161{A78D3DEB-1B8A-634D-E300-000000008502}41643056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000754001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:27.295{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000754000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.357{A78D3DEB-1B8C-634D-E500-000000008502}48482120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.213{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.213{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.211{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.211{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000753995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B8C-634D-E500-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1B8C-634D-E500-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000753989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.138{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B8C-634D-E500-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000753988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.140{A78D3DEB-1B8C-634D-E500-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000754013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:28.030{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56682- 23542300x8000000000000000754012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.194{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17DDDF71F4646D62C43CAA44E85946E4,SHA256=A33695DB9910494FED67BF7967D5A23D3BBA3FE8957D22328047F4CE24CBBCE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.188{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000754010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.188{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2340438EFDDC085A7204054D1C811F,SHA256=0EDF6DE17D8CD7044EB5448A7D2360A9723BD3ABE219F44BC634311D311AFD46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.188{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.187{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.187{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.187{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.186{A78D3DEB-1AE8-634D-9100-000000008502}43844712C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.123{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.123{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.123{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000518834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:29.012{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8630D4C4D9A35B0370060EC69580F5,SHA256=28E7B913EFA3D157D5E7387F5B19551D10F4BEFB608950424BB40992D3A934D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.647{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.631{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.272{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1B8E-634D-E600-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1B8E-634D-E600-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.256{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1B8E-634D-E600-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:30.089{A78D3DEB-1B8E-634D-E600-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000754014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:29.995{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F899896A31B22CDC45DAB9D33556D1C,SHA256=D4CF5AD03BA63981AABD926F2444F9E6D5150DE7C265AAA68F3BD60127BC2091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:28.179{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:30.105{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBFF4AE9FBB672AAF0A8840E742A6E8,SHA256=39AD2EB6778A935DB6DAD688566941548A4D6AF00502371B06F0FC632C23C093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:31.100{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DF5E6D7F9AE5EF9704AD415AC102B,SHA256=9E679119A946D7682268B6DB7094D8213FB4887F27CBAAD31445E4F5DEBBF0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:31.184{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11845D2B805EE4B0118B84BBECCA26EE,SHA256=25F793E07360AA4B2210B77028704C7C32F90D52BCFFE7EA38354DE0406C5474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:32.531{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:32.531{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:32.181{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A074DE72CB65E3097C2D7C10E475C514,SHA256=E426DB5EA424E53221C93D0D0573E2FB930D024E13291006B1971D8C490502DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:32.365{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217A0011CF1654E041DF8AC2C49B0ED9,SHA256=4E6A7D6F37EE5416B25C8294E0E6FEE97AE82CFC3E942D71DE17C10E5918C0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:33.277{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB601213D54C42FFB0DB5183C607A735,SHA256=DB517F3E418D96A67883D688A0D5E36A8E3F9C62EB98EF101E832AAA839AABF3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:33.248{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e208-0x0831364d) 23542300x8000000000000000518839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:33.458{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956247426A61C35259761D20BAF43A32,SHA256=02D4AB4B62B74D1C50DD5ADBC9E2FF7B972C9DE3F03B8C3C4BD6DDE78BFCCAD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:34.967{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:34.967{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:34.340{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C6DCB5E59C13AA62D225F1DBCCDE69,SHA256=6A69D6F2D99E34EEA89F00563F12C3A21C1ACA4AA990CC966BF7573BF10F0207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B92-634D-9100-000000008502}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B92-634D-9100-000000008502}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.954{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B92-634D-9100-000000008502}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.955{5C0BDE06-1B92-634D-9100-000000008502}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.549{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F8155797B401714C45A492EE99A69B,SHA256=7097AFD2A890938842A0568F632089CEEDF5B66641744326E05AE7627054B21B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B92-634D-9000-000000008502}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B92-634D-9000-000000008502}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B92-634D-9000-000000008502}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.284{5C0BDE06-1B92-634D-9000-000000008502}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000754035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:35.433{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856AD758BE40C7832964E86398EB5E4E,SHA256=C56619163F694E4C15A3B3B664C43B81A376D9B8E2A5E4324EFB75A9D76D1800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.676{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B8E0E2FCFBAEA52105D4C7D16ADA12,SHA256=0FF6B04E6DF0A6B1A602CB44199C1B9C63DA9947613C53330BC5A3DE452CC403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B93-634D-9200-000000008502}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B93-634D-9200-000000008502}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.629{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B93-634D-9200-000000008502}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.630{5C0BDE06-1B93-634D-9200-000000008502}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000754034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:33.282{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.371{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7644EC1F8E42781DD2C30E3DA532081,SHA256=5A226433C4B793EA6967F46A66DDD1952ED6C2360380AEAF85674F91759DB08E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:35.189{5C0BDE06-1B92-634D-9100-000000008502}820816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B94-634D-9400-000000008502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4973B4271800B13B96831E6BC00A02,SHA256=2CAED8362359483ECEB2EF9B70A12CE57A483F0B5207C9161C62C4994E69EAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1B94-634D-9400-000000008502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.867{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B94-634D-9400-000000008502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.869{5C0BDE06-1B94-634D-9400-000000008502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000754036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:36.527{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A886C9AE716DF17DECE96B879E85DE0,SHA256=F804B99C4E1188351F587DE053A01A982DF8B4F6AE004C191DAAE7CD46A584C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.586{5C0BDE06-1B94-634D-9300-000000008502}664848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.486{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.486{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.486{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.483{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.483{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000518897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.483{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 354300x8000000000000000518896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:34.204{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000518895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.301{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:36.302{5C0BDE06-1B94-634D-9300-000000008502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000754039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:37.764{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:37.764{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:37.623{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4369CCD2F3D9D9E489FDE629C3F08E64,SHA256=FCDCDE43F3A86912D05195F9EF85573395C6F3038D26163283058BDB88FD216C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.738{5C0BDE06-1B95-634D-9500-000000008502}10842016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B95-634D-9500-000000008502}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1B95-634D-9500-000000008502}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.534{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B95-634D-9500-000000008502}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.535{5C0BDE06-1B95-634D-9500-000000008502}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000518918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:37.164{5C0BDE06-1B94-634D-9400-000000008502}12561088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:38.709{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3F48A60833CEE9AD8127CD426769F7,SHA256=7F83F04FDB8B43BD97C320C91FAF81ED0B87A9550C15AB01C99F7E0E420E8DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.476{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739B5A7F1D6589EB3DC072AE4DB195D3,SHA256=86B602FD2C88D31FB8C018D2B9CBD0183F80280CB7F079D2C981B45B39F4FF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1B96-634D-9600-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1B96-634D-9600-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.206{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1B96-634D-9600-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000518934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.207{5C0BDE06-1B96-634D-9600-000000008502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000518933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:38.175{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BDE720A6FB054C82418A155219C7985D,SHA256=771DE36844B6FA7482879A1245320EEECF76E1FABC59FA7239C4EBEC6AC52CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:39.979{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:39.964{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:39.808{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA728B4CE8D35924FA3ACD70B39BA213,SHA256=926F4F4C70946F5B593C92DB8314B7964D73F7CDD1B145CE20CE95247816063F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:39.267{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DE8B92A13107BF059772DE02085A1C,SHA256=BDA5BE8336628E0BEDEB4C9FD04376F0DBB7937091AA8C0517A43BD7AB0630C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:40.891{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F943EB5B6CE9F9B13B4B06BEFB7BFFD,SHA256=B4CA1AA47FD4444CB45D9A58B9475D29095FC0717B300B3D2849BD3819360F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.714{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.711{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.708{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.704{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.703{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.701{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.700{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.697{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.696{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.692{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.687{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.685{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.678{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.651{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.644{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.636{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.634{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.614{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.576{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.564{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.555{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.546{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.536{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.521{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.503{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.487{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.473{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.458{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 23542300x8000000000000000518951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.453{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF61A33F035ACD70369FDB8D376DE20,SHA256=61831AA2D96EAB23B16E86B530805DDCB030E9A80C4E0EA489089384AA38BB2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000518950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.442{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000518949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.436{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 354300x8000000000000000754044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:39.213{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:41.707{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FB9BA6A536633C4D90599409B3ED6F,SHA256=17F19B7A4B536C9D8C9D738F72E05760B3C68F8DD7849170F7F2E5219CE50E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:40.081{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000754071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.975{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 23542300x8000000000000000754070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.973{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BCFE91C6DD8B930151256995D1B295,SHA256=BD73836458F44EAE793AAF197F27E20515B9956E5D2AC0A90F0E7D4061D92BD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.972{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.968{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.964{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.961{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.953{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.952{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.946{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.943{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.940{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.909{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.898{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.887{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.882{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.865{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.859{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.850{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.844{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.833{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.826{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.792{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.789{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 23542300x8000000000000000754046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:41.001{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96BC5C928C80C5FCE405F823FE9E6DE,SHA256=D308E3F8D6DDDC60BC4DDB2A8AC58BDAAAD638C2920E0805EF460408D86CA9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.941{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B795E00A59D32CEA577EDEB4315CC2,SHA256=0B6EB2F16704C724AB08C08143D5A7A242AFBC432AA94867C6F514E1934C8416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:42.660{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B92C043C93ACEF1CEDFB4C52B848B8,SHA256=BE7362BE2249AC197800552A4D6235D1FE62B5F9CACA0ACB5978F1EB638F8A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.430{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5176AB7DD242ED2D4260B3906E6FB6A0,SHA256=6094C25BAD9C70415EE7807561D7C1D176466C8CE836AA69EACAE067E1ADFEC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.385{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.385{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.385{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.385{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.385{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.382{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.382{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.382{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.382{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.380{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.379{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.307{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.305{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.302{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000754096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.302{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000754095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.301{A78D3DEB-1AE9-634D-9A00-000000008502}48762332C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.300{A78D3DEB-1AE9-634D-9A00-000000008502}48762332C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.288{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000754092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.288{A78D3DEB-1AE8-634D-9000-000000008502}43404356C:\Windows\System32\RuntimeBroker.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8dd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000754091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.286{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000754090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.285{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000754089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.281{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.281{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.274{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.267{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.267{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.267{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.266{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.266{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.266{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.265{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.264{A78D3DEB-1AE9-634D-9A00-000000008502}48765176C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.264{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.264{A78D3DEB-1AE9-634D-9A00-000000008502}48765176C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.263{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.260{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+3cfc1|C:\Windows\System32\TwinUI.dll+204a8|C:\Windows\System32\TwinUI.dll+203c8|C:\Windows\System32\TwinUI.dll+2183f|C:\Windows\System32\TwinUI.dll+1fded|C:\Windows\System32\TwinUI.dll+1fc41|C:\Windows\System32\TwinUI.dll+148b4d|C:\Windows\System32\TwinUI.dll+d5ddf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.257{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+3cfc1|C:\Windows\System32\TwinUI.dll+20554|C:\Windows\System32\TwinUI.dll+203b5|C:\Windows\System32\TwinUI.dll+2183f|C:\Windows\System32\TwinUI.dll+1fded|C:\Windows\System32\TwinUI.dll+1fc41|C:\Windows\System32\TwinUI.dll+148b4d|C:\Windows\System32\TwinUI.dll+d5ddf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.255{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:42.253{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:43.758{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD38CFD3E1EA99D30432FA373C90F874,SHA256=5DAF3F54D8FFE5E803158A12D58ACFDBEDE51D7936946E923593F7378BA5F284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.221{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000754118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.221{A78D3DEB-1AE9-634D-9A00-000000008502}48765084C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000754117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.205{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.205{A78D3DEB-1AE9-634D-9A00-000000008502}48765416C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.205{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.205{A78D3DEB-1AE9-634D-9A00-000000008502}48765416C:\Windows\Explorer.EXE{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:43.205{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:44.954{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43E2C93A7032A9AC515BAAC9C0F7D3A,SHA256=7ACDF2BA760B0E44A5A96F24CAFEBADE376F1E344F6AE2E0586F720C047068F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.935{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.934{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.929{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.919{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.911{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.885{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.879{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.871{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.867{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.865{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.863{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.861{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.857{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.857{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.855{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.854{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.679{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.679{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.350{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000754121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.349{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 23542300x8000000000000000754120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.015{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160171E246266C6975961BE8A79B7A57,SHA256=C8D381240777DC94EF0438A7BEEC3CA12143B1843707B3D3EC376618DA333C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:45.104{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF1976BF12809F21240D07E2B3ED070,SHA256=AA81DB5FF93E92E0994A4E8D853D1D31A082D1C1A912FCDDBC9716F67B3AFD3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.548{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.548{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.548{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.548{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.548{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48764668C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48764668C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48764668C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48764668C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.516{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.501{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.501{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.501{A78D3DEB-1B9E-634D-E800-000000008502}4365456C:\Windows\system32\conhost.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.485{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+20f458|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+1865d0|C:\Windows\System32\SHELL32.dll+1793bc|C:\Windows\System32\SHELL32.dll+1a0124|C:\Windows\System32\SHELL32.dll+179556|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000754151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.457{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000754146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:44.255{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:46.207{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35176D6C9624172BE3D440BF55EEBDBE,SHA256=B8E37D9BE8F7A0F1C0EA109E9FD0F69402F24D0D254C36E155ED89E0275F4158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:46.042{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E60F764559B95FA25801391ED41F4F,SHA256=40EA0B1F4B9A242B8E28F763F0A8921622B28EAB3E9CCC99935FACE200A4B08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.487{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A34F4F18CB874ACC60A4D84DF10B7F0,SHA256=B4B02B555080E76889FFD7BDAB276B22E4EE56DFAE8EF10C8398AF98DDCEEF5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.444{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.444{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.444{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.444{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.441{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.441{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.441{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.440{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.440{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.440{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.440{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.440{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.425{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.424{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.424{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.424{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000754171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:47.312{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9545CB392A52224533ABC0016130422F,SHA256=8E822AB4A85F834482EA7FF2BF0A28A13519DAC295051DF82F86AAEBFC09058F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:45.154{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:47.138{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13E656DEF042195365A9213812AD3C4,SHA256=F571B01582AF9894F49F782F10B7D12569F0A462721F0A1EEA806C52FF8E23E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.523{A78D3DEB-1AE8-634D-9100-000000008502}43844448C:\Windows\system32\sihost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.476{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.476{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000754192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.476{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000754191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:48.397{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DE285299FC2D2311FFE705670EF1F1,SHA256=31A7C3464100E8DD3E81E3B138E441823C7C6135FE3A5C40264B02810A63729F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:48.225{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2A65AB31BEB0EA65A1510084196141,SHA256=A3DEBA6092305702957F6B773029C3C408AC136E67BD6FCC1403958383138D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:49.481{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E3833C0227D208CE6C36D2D15FFB8,SHA256=1B7012BC31D745FC8761B46513112E1AF9DA11634827A0605489D69C23267BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:49.310{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41272BC924E789A0C9B509F2044D08E,SHA256=3889B7C8EA992B3E85C748F04B2450BE68467CB40984DFEE5658D029BE0378B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:50.582{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE4823CCB11DA0D6C9CA61D59BF8E38,SHA256=3DB9F857B8BC1435D73922E34884AC57A58B0D82CE53E8E9996E98F867CBD6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:50.396{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CACC5D927A02A9498935C20CF7FBB2,SHA256=FB7387F02CB0C843DE7871E7AB3B922CE9A7762FCC95AAFB44FF0DDC4E8F3703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:51.658{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA9C49B0178E3BE493560616D8CD3B3,SHA256=38FF0E86938B1FE9ACCA56D7624FDAE63442436ECD106BE8803B1E61641391E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000518991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:51.584{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21500F46AC45FB7571F27EB81887DC28,SHA256=2A19A241183A77AE9D91819D2A6F189B4A7A2C28181DA531917A38AE59F57850,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:50.298{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:52.734{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CC386683584D5308B9B5467015C31E,SHA256=C2BA06DF98A9C3940E946864971C61EBD13DEB957BDBE6AA47AFF48694FE5BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000518993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:51.082{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000518992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:52.680{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D6A7795F37D1ACC897EBBB3D15F435,SHA256=DCF6BC7B976C9DB44DED47FB1192509716B3B91190D9A734B800D81C183D8D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.831{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03F1A45461F1E31E960EA18B261B741,SHA256=F8CF748E69752E23FA87774765D1D77CE94EBA3832453BC3294D8B9804F7DD31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.768{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8ddd|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000754220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.768{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8ddd|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x8000000000000000518995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:53.777{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6FC17AAA488A4F67DAB2956778A7DE,SHA256=57D26209825AD7F0084AA8390DB659C2595ACC165534468349A349A44FF6EE4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.637{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.637{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.637{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.636{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.248{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8ddd|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000754212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.248{A78D3DEB-1AE9-634D-9A00-000000008502}48764832C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8ddd|C:\Windows\System32\SHELL32.dll+2838ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000754211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.062{A78D3DEB-1A7C-634D-1600-000000008502}12361396C:\Windows\system32\svchost.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.062{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.062{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.046{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.030{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:53.030{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BA5-634D-E900-000000008502}5976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000518994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:53.149{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EEA923CFCE4ED5778A47F84D7827E0AC,SHA256=7E864CC8C107886E9D3DDB7635E38DE53B935FAA2BEF28F654432BE35E92F7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.923{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D32281A8DB99BB1E63D68854F670F6,SHA256=A28712EA19D04333256A795DDF04DE77640928C2F0FBCEFD4BF3F6819892BDD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.884{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C5BA64F7943B5B7A4AE0B2F792D7E334,SHA256=21F785812A7D562046C34006BAC5CA6E7B17CACC47F098DABEE70EA9E11B60D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.889{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3AD19EC1A348F0AFC1F588E5501F66,SHA256=D78DE135A1E23B5E2609F164A7D86D8250418CDB2C6A137081D688B0BC0A0B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.827{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=998C09BC0B1AAB899DB294E3A9829BBB,SHA256=EC0B5CE552A6FAE7BE451DA2FA6F7E24C9F7F69B1995B6F3C73B519DE11488B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.346{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.346{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.346{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.331{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.331{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.331{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.331{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:54.146{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1289867637B67B12432B0F147B0124C8,SHA256=E5E8C973D47B3AFFF3A8AA3B678CE72ED0DC90FC52F4B2D12F2286F88388F705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.780{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1BA6-634D-9700-000000008502}3372C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.749{5C0BDE06-1BA6-634D-9800-000000008502}39642400C:\Windows\system32\conhost.exe{5C0BDE06-1BA6-634D-9700-000000008502}3372C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1BA6-634D-9800-000000008502}3964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1BA6-634D-9700-000000008502}3372C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000518998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A79-634D-1500-000000008502}10362716C:\Windows\system32\svchost.exe{5C0BDE06-1BA6-634D-9700-000000008502}3372C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.702{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.960{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C6891A418E09D2ECCE77174D74C457,SHA256=002B5B248476BE15DEAFF3A2774C266DEEAE8FFFFE1ACE88D7B41CA4B65A93C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.987{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C950258CD95884EE34F520E79162CC5C,SHA256=C0DFA15AAF3BAE2ADCAD203C1B05EEF025917C75C6F433E81772E15F30506F8B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=ADD4F54BBC6D3D9B50781513AD5A34007D6F49A0EBABAB6803A06C7FAEC7BE9F 13241300x8000000000000000754253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000754252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local2022-10-17 09:08:55.449C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=ADD4F54BBC6D3D9B50781513AD5A34007D6F49A0EBABAB6803A06C7FAEC7BE9F 13241300x8000000000000000754251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000754250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000754249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000754248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000754247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000754246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000754245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000754244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000754243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000754242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:08:55.449{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000754241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.449{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.372{A78D3DEB-1B9E-634D-E800-000000008502}4365456C:\Windows\system32\conhost.exe{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.356{A78D3DEB-1B9E-634D-E700-000000008502}58045380C:\Windows\system32\cmd.exe{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.321{A78D3DEB-1BA7-634D-EA00-000000008502}4348C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000519037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.756{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ADB519E1D85712BDF4F7933A03E132E,SHA256=A4DDD4C9A6ED7BDE97F664E731E7343AD68097F113E46348124FA990EF618974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.602{5C0BDE06-1A79-634D-1600-000000008502}12201616C:\Windows\System32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000519035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:55.584{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x8000000000000000519034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:55.584{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0004b448) 13241300x8000000000000000519033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:55.584{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8dfdc-0xc04dfbc6) 13241300x8000000000000000519032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:55.584{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8dfe5-0x221263c6) 13241300x8000000000000000519031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:55.584{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8dfed-0x83d6cbc6) 10341000x8000000000000000519030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.297{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.155{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000519023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.155{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.139{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4b293.TMPMD5=877195418EEEC47990DFEAC1A2655DCA,SHA256=F056602651966DE89E90FC6A25BE15F4B02E5531D10BF9F980BEAB826AB542A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.092{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.092{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:54.999{5C0BDE06-1A79-634D-1500-000000008502}10362716C:\Windows\system32\svchost.exe{5C0BDE06-1BA6-634D-9700-000000008502}3372C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000519062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:55.477{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49753-false20.190.154.18-443https 23542300x8000000000000000519061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.893{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4b969.TMPMD5=F2700BBFEEB7CAF06BECA1B8703C7563,SHA256=7C767F7AD3F6E05B06090656AF51CCB9D2C56DFAD418A6033D6DA47ED10CA9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.847{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4b93a.TMPMD5=B8F99D13607AE4ECE9815F851425DDA7,SHA256=37F88FADCAC618CFC5727B966B2209B2301CD2EF7374F3826CB44323BEE6F6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.800{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4b90b.TMPMD5=5273424827E8A4D2FCD0FE2AE0EC3A86,SHA256=6C2099C788517AF16F68E6485246F51614306B2A1838332F24510BBE5DACB960,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000519058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:56.490{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000519057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:56.490{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0004b7d3) 13241300x8000000000000000519056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:56.490{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e1ff-0xb3ba672d) 13241300x8000000000000000519055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:56.490{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e208-0x157ecf2d) 13241300x8000000000000000519054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:08:56.490{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e210-0x7743372d) 10341000x8000000000000000519053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.351{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.350{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.349{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.349{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.315{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.315{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.315{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.315{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.314{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.314{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.313{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.313{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.311{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.311{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000519039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.038{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F8555B4856DFABFF88D124C94844A10E,SHA256=C4CFC1B3863F59A321E593F8014F249B6AEC258CADCB7505A98D3A1D4F18EC30,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:56.882{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 23542300x8000000000000000754258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:56.757{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=24A9ED18174C703108516D07D38D3144,SHA256=3B704B812D2277D74FA3BFB0A39A4A600A2EA7F061CF3145DE2770829738F5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.298{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A53531- 23542300x8000000000000000754256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:56.096{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4EBF1A9D0FDD392B13D8D1284DBAB3AF,SHA256=252FB99F769C1F052F975AEEDAC2C14E06638895DE67D9E9BD64BA83C1903A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.173{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49755-false169.254.169.254-80http 354300x8000000000000000519064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:56.069{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49754-false52.140.118.28-443https 23542300x8000000000000000519063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:57.284{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C75720C76DE0473FEC03A05E96A9A7,SHA256=8FC5FC7D59C01A254722413E3AA72638FBFF37DB4EB120B4B8EBC3729A42601E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.763{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.763{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x8000000000000000754265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.763{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 354300x8000000000000000754264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:55.757{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56017- 13241300x8000000000000000754263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.350{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.350{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x8000000000000000754261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:57.194{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 23542300x8000000000000000754260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.085{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966E75170B1CBD768509F8CF85529BC,SHA256=CE2DE5789C2FF54DCDC48D8454AB5A6FDE2D232E9EE0BDDA9123B2258E125259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:58.369{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734955C898BB952E894FC7BA0EFE5C46,SHA256=B936EED810747D3DCF3E927F2BB6A647A6B64FF35F7777AC4F36C5581FF888AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.521{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57776-false20.86.173.234-80http 354300x8000000000000000754276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.383{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57775-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x8000000000000000754275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.364{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local61534- 354300x8000000000000000754274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:56.593{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51869- 354300x8000000000000000754273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:56.302{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:58.168{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A6C8544DC3A799FBB3449BE182CA9B,SHA256=3331755F42B2236021F55FD171C71DD37D071741054EE4A757BAAF3F96CA7FEE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:58.011{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x8000000000000000754270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:58.011{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0050\(Default)Binary Data 13241300x8000000000000000754269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:58.011{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008\en-USBinary Data 13241300x8000000000000000754268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:08:58.011{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 354300x8000000000000000519068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:57.081{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:08:59.459{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC0EFB8AB613830B4B9F084485E205,SHA256=FD4717593CD3EF8DA6C12AEA8E3D7AB6EC1ED94F5DE56F97C28A84831A8F73D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:58.057{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57780-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x8000000000000000754282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.918{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57779-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x8000000000000000754281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.779{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57778-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x8000000000000000754280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.638{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57777-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x8000000000000000754279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:57.596{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59370- 23542300x8000000000000000754278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:59.253{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7A78A1502E82CCACD9D3D15DCBBC4E,SHA256=CCED2C946AE81FD0768DE842B35600A8A6C915403C52B653FC5D0DBE8088BFF4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.763{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.763{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 354300x8000000000000000754318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:58.612{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59230- 354300x8000000000000000754317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:08:58.581{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59230- 13241300x8000000000000000754316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.487{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000754315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.487{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000754314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.487{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000754313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.471{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.471{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.471{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.471{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.455{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.455{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000754307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.455{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.455{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000754305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000754296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000754295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000754294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000754293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000754292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000754291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000754290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000754289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000754288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000754287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000754286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000754285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:00.440{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 23542300x8000000000000000754284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:00.346{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09CD637E190A3CFF2A1A9BD41C4EEC7,SHA256=E1A7A88ECF1EE8B8848041FF69BD23FC9451244C7DD21CCBA3E38FFA6430A644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.811{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.807{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.805{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.794{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.790{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.784{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.783{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.779{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.773{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.771{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.766{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.763{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.758{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.740{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.736{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.713{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.708{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.681{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.629{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.609{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.594{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.582{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.563{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.554{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 23542300x8000000000000000519075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.553{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992CEA9A5DC45D0DD7B4D3A4B77D48E7,SHA256=3D579598B70A6FA86E5CDDF07940924AC6D189F1319381FB884BE1FA48B67DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.538{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.521{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.503{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.479{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.463{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:00.445{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 23542300x8000000000000000519100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:01.649{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E6D448FB81EED2431D089036392870,SHA256=7A87365572B5EE7F42E0C3F50C9FDFDDA80F4D0A9523F11B1FECAF7135D704F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.997{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 13241300x8000000000000000754366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.993{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000754365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.986{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x8000000000000000754364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.985{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000754363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x8000000000000000754362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.976{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.976{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.974{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45\Shell\SniffedFolderTypeGeneric 13241300x8000000000000000754359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.974{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.974{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.973{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.973{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.973{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.973{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.973{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 13241300x8000000000000000754352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000754350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000754349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x8000000000000000754348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x8000000000000000754347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x8000000000000000754346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x8000000000000000754345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x8000000000000000754344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x8000000000000000754343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x8000000000000000754342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x8000000000000000754341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x8000000000000000754340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x8000000000000000754339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x8000000000000000754338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 13241300x8000000000000000754337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000754336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.972{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x8000000000000000754335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.962{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.957{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.945{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.941{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.925{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.919{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.907{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.897{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.878{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.866{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.799{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.796{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x8000000000000000754322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:01.731{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F717156C74FEBED1249C77C3E277F2CC,SHA256=598F7EAFCD751F68585D266D502A2C63EC531F11FE63C4D58A0F32784C77E154,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:01.433{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002\(Default)Binary Data 23542300x8000000000000000754385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.757{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DD091CE9A31D827FC80094F785C19C,SHA256=9764E903926EB6484AF19F93322719B50D2615DE5BED8666931BD45BD5EF8BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:02.732{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01E9D19715EDB96B819A9F05C3437E4,SHA256=CEB08E73C97C2D9554E7564064ABD2738D5247925422783622C05B68428CAB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:02.212{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-004MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.431{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.429{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.044{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.041{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.037{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.033{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 13241300x8000000000000000754378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:02.031{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45\Shell\SniffedFolderTypeGeneric 13241300x8000000000000000754377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:02.030{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45\Shell\SniffedFolderTypeDocuments 10341000x8000000000000000754376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.030{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.023{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.022{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 13241300x8000000000000000754373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:02.017{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000754372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:02.016{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:02.016{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000754370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.010{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.000{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x8000000000000000754387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:03.793{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBD13A19D3C2017092F0A0FBE0A7904,SHA256=2681583EEDF086646FF1CAF50ED427FC75B750D9F07FB4F9EF02DDD20CBA80E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:02.240{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.805{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B10248655E33AEEFE6481E341C2611B,SHA256=99448500EC32584A8709E3B731A3857E39D5AD5055747A6E48AEFEEBD5A6B09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:02.259{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000519107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.689{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.689{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.689{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.665{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:03.218{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.998{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.995{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.992{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.989{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.988{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.983{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.981{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x8000000000000000754391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.870{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814AC490C769B8E3FF4902E37E07FA65,SHA256=6F42D3C0B6DCF965AEDB855E2E53DBC1FBF15EC057C153F5956D6348796EDFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:04.906{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CD947B360995EBB08ED68FA44FF1DA,SHA256=229D7792A2F460D05BE292D645C11A7F07BAB40382059202B65215EE8B704E09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.475{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.474{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:04.178{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.947{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23216A174B939DC6925455DC8B5D0693,SHA256=7AF78B482C5E5B328193207AC730DDCE4199612276361017FA4A7CA926A4BC22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.111{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.111{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.110{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.108{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.107{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.105{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.102{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.087{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.062{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.024{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.017{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.005{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x8000000000000000754400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:05.000{A78D3DEB-1AF5-634D-9E00-000000008502}54845600C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 13241300x8000000000000000754429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{56A7EA89-598E-405D-A397-ED78D7A00DF8}\LaunchCountDWORD (0x00000001) 13241300x8000000000000000754428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{56A7EA89-598E-405D-A397-ED78D7A00DF8}\AppIdD:\calc.exe 13241300x8000000000000000754427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{56A7EA89-598E-405D-A397-ED78D7A00DF8}\LastAccessedTimeQWORD (0x01d8e208-0x1c4cca80) 13241300x8000000000000000754426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.984{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\pnyp.rkrBinary Data 10341000x8000000000000000754424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.968{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:06.968{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=7D8772 calc.exeBinary Data 10341000x8000000000000000754422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.968{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.968{A78D3DEB-1A7C-634D-1000-000000008502}81028C:\Windows\System32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.937{A78D3DEB-1AE9-634D-9A00-000000008502}48764352C:\Windows\Explorer.EXE{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+18171c|C:\Windows\System32\SHELL32.dll+181473|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:06.929{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe6.1.7601.17514 (win7sp1_rtm.101119-1850)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"D:\calc.exe" D:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000519111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:05.995{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569DAF5710CD35A2D8F46F396DFC6490,SHA256=C24B603C9622F009A7CCBB3B7E257C16E2DB94C4C8F1EB7641CB9F2EEADFFBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.977{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8AA56EB30735FB7F1ED50FB0297F0326,SHA256=B85AA452E30D865BAF9EEA2BD206A4DC5604D9E8ECB25EFFABB8CF560AB8670E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.735{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.735{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1BB2-634D-EB00-000000008502}44004328D:\calc.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|D:\WindowsCodecs.dll+11b0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eeb6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52e6b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+2f106(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3e30b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3aee4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+5362f(wow64)|C:\Windows\System32\KERNELBASE.dll+c7268(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ad6(wow64) 154100x8000000000000000754432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.320{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\SysWOW64\regsvr32.exe 7533.dllD:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{A78D3DEB-1BB2-634D-EB00-000000008502}4400D:\calc.exe"D:\calc.exe" 10341000x8000000000000000754431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.313{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:07.064{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BC7FFAFBF90F017D05FC6D1A5DF09F,SHA256=CD5EAA4A2C2B815E74938078DD01CAF3929D8EA801E70E60A9CCEE015F802FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:07.080{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC3970ADB8559B7F19BFBD0A153C83E,SHA256=A7E3A071D166EAAA9FA358A9A20069018915B52B93DF380626A1A532FF07E26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.071{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.071{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.071{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.059{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.059{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000754444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.059{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000754443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.050{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833D8C84F438492E49BC9B85790DBC9A,SHA256=3646B59D0266FF072E1B499F7E5BF0DBDC0D602A4989771D142F58DC2DAEF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.003{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E8BFE013CBB352685ECEB0360F7697,SHA256=8386E936137E64B1C5B1EF26269A32BE8C8BAC898A042B0E45848A65868820D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:08.380{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06A94E05BCEBF6C9847109B81CE014FD,SHA256=4ADB3104B4843A80DD85DD0E41CAFB7EEFBB47089ED5C23D12BFEC601929B350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:08.161{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD5463333E9245B516B0A12A1CA8D24,SHA256=A7B2873EC6242830437335E14B65C06CEA44B3104B52645F1E3D083EB44E6D67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:08.248{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:09.082{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9D68BC47EA2CAE30B6FEB28BC5F191C9,SHA256=58C05FF80965071591DE57BE28516F9BC9803B7DD9F18BA5F4AD7CF3A08E1A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:09.023{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4370C850466D40B120B4C83A8DC90F0,SHA256=9B8F2370EEDD555B2820AFD35877C6305AD6BAC34FC2213FC3AD9DFE710A6721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:09.251{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCBA20FFA0CFD31F7129741D2B06C72,SHA256=D68FCE22498665EF710C8F00755EF96AB96374C446C61BBC4012533720D74C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:10.087{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901573B0745F0FF75B43A67F808D4D57,SHA256=5C1B57884BA71798A8E98C42CC3817CF7D9186678EE0EB96EE034E4512888533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:10.559{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8599AE3180149B7462BDB81F7FF2E2B,SHA256=089BABBA7F7805C16468E63E1B742DBBA84A2FFB38FA5128CA9ECC648DF6B1D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:08.239{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:11.753{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854BBEF6D11209BBCFF97CA0253A14F4,SHA256=81831CCCA8597433FBBF1487DD2448D83871EC28DE9CA6B9C46414EDB89E86FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:11.109{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDC04E7859B054CA71C380703A3563B,SHA256=ECFFD66F0EB5AE07F90665293D2EE4B49C66565F97E1FA4F13417F5B815A4094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:12.835{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D016220D82B212D04D68AE43A30D7BE,SHA256=53806FDC2A4D56AF31631DEC1FB2B6202794A3E5F7260A0C65812E66C30703FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:12.120{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725894E8B0023401ED2135CDE4438EC6,SHA256=627A3302EED1B5ABA1509E408C97893F9489926FFE0593413780C68D15800EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:12.065{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57783-false169.254.169.254-80http 23542300x8000000000000000754456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:13.146{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0871A7BCFACBED1FF8145332389DBBBC,SHA256=2E4E88FD5E45936024BEE1BBA8BCC5BA80B67AF96691F8160EF7933263969B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.997{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7AA2ABE1A651EDC7E3D72C30D18E3E25,SHA256=F19606AA55E3D3964554EA8D46D3A0CE91FD1DA3E3EED8721F29E6BC855BC279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:13.420{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 12241200x8000000000000000754483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x8000000000000000754482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List26538 26544 26554 26564 26584 26628 26638 26676 26682 26698 13241300x8000000000000000754481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x000067ab) 13241300x8000000000000000754480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x000067aa) 13241300x8000000000000000754479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x00006851) 13241300x8000000000000000754478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x00006850) 13241300x8000000000000000754477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006851) 13241300x8000000000000000754476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.409{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006850) 23542300x8000000000000000754475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.404{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=0DDA1618EB1CFA543012E48D8C89D657,SHA256=4194C73F0CE09A80A41B50C7B8329466B0F67F07C41B2EC3530E73698168C671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.382{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=0DDA1618EB1CFA543012E48D8C89D657,SHA256=4194C73F0CE09A80A41B50C7B8329466B0F67F07C41B2EC3530E73698168C671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.279{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E641725DC136142444F710B5F5063BB,SHA256=4D0D4D30586BE17E2DCA9452078A91B4AE633BBBDEC641080E95E3D1AA86689A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.245{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x8000000000000000754471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.243{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x8000000000000000754470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.239{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.238{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.236{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000754467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x8000000000000000754466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x8000000000000000754465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x8000000000000000754464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x8000000000000000754463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x8000000000000000754462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:14.228{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x8000000000000000754461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.227{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000067a9) 13241300x8000000000000000754460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.227{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000067a8) 13241300x8000000000000000754459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:14.212{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x8000000000000000754458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:14.210{A78D3DEB-1B6C-634D-DE00-000000008502}3792NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:14.030{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E3CDE1F5EE31058A416E6E3FEBDCE2,SHA256=25A2F0F4422DBD40BC77B30630FA86E21FA95860C8D7E5E13A423C4CD1A3BBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:15.292{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDF9169A5BEBFC804FD4BEECB307FDB,SHA256=F671F14CC17C9C73E9D9F93611EC9ED8CD977FC2A878DD9118E1B880C8372E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:15.112{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F679D440AED697B2F6C07C88457E6B,SHA256=446790125049D6EFE5C71E2EB0FC070E10E91C25AEC8A6346BD3393FE271CB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:16.357{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3F8DD58E348E64AFE9092284087EC8,SHA256=1C38A98DE784C4D9E9A27EBD2D686956577318E7132DC20630A1B072C366B927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:16.958{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:16.206{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568ABD248C15751B4901BFE0A4BF6C0,SHA256=64A004DC002AD43A5CBA41100C71B39F6BEF588AFD08398403128C52727D6236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:14.202{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:17.882{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-004MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:17.535{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:17.535{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000754491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:17.534{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000302C4\VirtualDesktopBinary Data 13241300x8000000000000000754490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:17.526{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 10341000x8000000000000000754489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:17.523{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:17.366{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B158D65BC7A731BACEC7D0850DAC4CD,SHA256=7C630D16CD331A36A07E8BA3F1B26EA567549B9E573758EC37ADDA208DBC5C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:17.208{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35989B6406305CD182960C4808D3BAD,SHA256=58029F643EE5F7F9FDD572D3186D0FC0D627E3A7FB21932475EE703D036CB39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:18.881{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:18.377{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8272DE426C4A4488F5452A78CA1354A,SHA256=7E6B527C744F5094EDE7D70BA19D6DB25F8484916F41F74698EE73B1A8CAC7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:18.294{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A149968DD0E089EF806863AEE73860F,SHA256=FF01FD70C509682A806F0E8BBEEBB9E49FE5E5D87627090EF903C8177C1343A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:16.943{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000754497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:19.387{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D90597566EC3A2CEC763D92129FBBB,SHA256=F24CB8698993AA361BDAC8B28BCF7C3EAA06B5D7A5D891A4B27EDD53CBCEAD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:19.385{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA13A844E8BE98454C691F9086D69A2,SHA256=FE89D662388E33E628F1307F6C1D387535A910CCA88B5D1E898B436BD6145C17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.671{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.668{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.666{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.660{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.659{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.657{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.656{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.654{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.653{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.651{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.647{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.645{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.641{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.627{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.623{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.611{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.610{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.589{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.550{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.531{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.520{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.509{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.499{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.489{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.481{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000519134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.476{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470C53C2864762E1AA38AD89B93D8D34,SHA256=1BCA442820B02BAF79CB3974EEEEC35BEBF82CC35A9A20DC5F72E6B97E400398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.472{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.458{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.448{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 354300x8000000000000000754806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:19.381{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.787{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA2B1608EAB4172020896941DE52413,SHA256=AFD197CE935F23B5477B3BE4B13633302999DDEAB31706951AAE43F8E346F452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.764{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816C52AB1ED0DFAF1653E147BECCE7BF,SHA256=6E4B48D9C9B19051838718A4AAD62864A855EF89F6CAE691BDECC093624C3CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000754803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.759{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44051E1BB4FF383FAE1547F195676789,SHA256=6EB231D7F251397C7356B6649A95E65C6A1D08180695E447AD295A57074DE7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.548{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.547{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.546{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.545{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.545{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.545{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.545{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.544{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.543{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.543{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.543{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.542{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.541{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.539{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.536{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.536{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.535{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d1df64a706c36c\fa0aa3c3\LanguageListBinary Data 13241300x8000000000000000754751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.534{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d1df64a706c36c\fa0aa3c3\LanguageListBinary Data 10341000x8000000000000000754750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.533{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.533{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.532{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.531{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.531{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.530{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.526{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.526{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.525{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\LanguageListBinary Data 13241300x8000000000000000754741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.524{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/AppName/Text}Windows Shell Experience Host 13241300x8000000000000000754740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.522{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\LanguageListBinary Data 12241200x8000000000000000754739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:20.522{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d2dc448ed16ee3 12241200x8000000000000000754738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:20.522{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d2dc448ed16ee3\fa0aa3c3 10341000x8000000000000000754737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.483{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.482{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.468{A78D3DEB-1AE9-634D-9A00-000000008502}48765004C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\Explorer.EXE+8cb87|C:\Windows\Explorer.EXE+56261|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+37c3f|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+34326|C:\Windows\System32\combase.dll+33ada|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\Explorer.EXE+51bc9|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.350{A78D3DEB-1AE9-634D-9A00-000000008502}48765004C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802D96EBCD8)|UNKNOWN(FFFF8050BFB0F26F)|UNKNOWN(FFFF8050BFA78012)|UNKNOWN(FFFF8050BFA72611)|UNKNOWN(FFFF8050BFA73FDA)|UNKNOWN(FFFF8050BFA72296)|UNKNOWN(FFFFF802D9401703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000754733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.349{A78D3DEB-1AE9-634D-9A00-000000008502}48765004C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802D96EBCD8)|UNKNOWN(FFFF8050BFB0F26F)|UNKNOWN(FFFF8050BFA78012)|UNKNOWN(FFFF8050BFA72611)|UNKNOWN(FFFF8050BFA73FDA)|UNKNOWN(FFFF8050BFA72296)|UNKNOWN(FFFFF802D9401703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x8000000000000000754732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.349{A78D3DEB-1AE9-634D-9A00-000000008502}48765004C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802D96EBCD8)|UNKNOWN(FFFF8050BFB0F26F)|UNKNOWN(FFFF8050BFA78012)|UNKNOWN(FFFF8050BFA72611)|UNKNOWN(FFFF8050BFA73FDA)|UNKNOWN(FFFF8050BFA72296)|UNKNOWN(FFFFF802D9401703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000754731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.327{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.327{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.326{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.325{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.325{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.325{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.324{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.313{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.313{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.312{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.312{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.312{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.312{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.310{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.309{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.309{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.308{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.307{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.307{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.307{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.307{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.307{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.306{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.305{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.304{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.303{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.303{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.303{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.303{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.303{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.297{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.297{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.297{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.297{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.297{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.296{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.295{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.294{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.292{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.292{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.292{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.292{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.292{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.291{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.290{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.289{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.288{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.288{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.288{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.287{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.287{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.286{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.286{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.286{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.286{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.285{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.284{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.283{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.282{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.281{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.281{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.281{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.281{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.280{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.280{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.278{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.278{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.276{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.274{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.274{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.273{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.272{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.272{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.271{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.271{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.271{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.271{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.266{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.266{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000754540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.265{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.265{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.265{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.264{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.264{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.254{A78D3DEB-1AE9-634D-9A00-000000008502}48765168C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.253{A78D3DEB-1AE9-634D-9A00-000000008502}48765168C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.253{A78D3DEB-1AE9-634D-9A00-000000008502}48765168C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.253{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.253{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000502C0\VirtualDesktopBinary Data 10341000x8000000000000000754527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.253{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.252{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.252{A78D3DEB-1AE9-634D-9A00-000000008502}48765064C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.247{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.246{A78D3DEB-1AE8-634D-9300-000000008502}44284572C:\Windows\system32\taskhostw.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.243{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.243{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.243{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.243{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000754518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:09:20.237{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager\Preferences 10341000x8000000000000000754517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.235{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.235{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.204{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000302C4\VirtualDesktopBinary Data 12241200x8000000000000000754514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:20.201{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000302C4 13241300x8000000000000000754513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.199{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUListedabc 13241300x8000000000000000754512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.199{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\etaskmgr\1 13241300x8000000000000000754511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.199{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{18A5CCB1-5B31-4193-924E-83894CA61773}\LaunchCountDWORD (0x00000001) 13241300x8000000000000000754510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.199{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{18A5CCB1-5B31-4193-924E-83894CA61773}\AppIdMicrosoft.AutoGenerated.{923DD477-5846-686B-A659-0FCCD73851A8} 13241300x8000000000000000754509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.199{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{18A5CCB1-5B31-4193-924E-83894CA61773}\LastAccessedTimeQWORD (0x01d8e208-0x242cef50) 13241300x8000000000000000754508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.197{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.197{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{923QQ477-5846-686O-N659-0SPPQ73851N8}Binary Data 10341000x8000000000000000754506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.193{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.193{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.193{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.193{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.193{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.192{A78D3DEB-1AE9-634D-9A00-000000008502}48765952C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+4a4b3|C:\Windows\System32\SHELL32.dll+4a37b|C:\Windows\System32\SHELL32.dll+49c97|C:\Windows\System32\SHELL32.dll+4995c|C:\Windows\System32\SHELL32.dll+7f5d7|C:\Windows\System32\SHELL32.dll+7f535 154100x8000000000000000754500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:20.163{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\System32\Taskmgr.exe1, 0, 0, 1Task ManagerTask ManagerMicrosoft® Windows® Operating SystemTaskmgr.exe"C:\Windows\system32\taskmgr.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=F4429ADA273FF82A9D1EC804018A0039,SHA256=1BB6FBFFBDB585DE220DB58BAAB9327E5FF03E53AE88CBCAFF777A7819044615,IMPHASH=65D7A86C4F0360F63A506C4247D3E410{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x8000000000000000754499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.149{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:20.149{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybtBinary Data 10341000x8000000000000000519130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.437{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.434{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 23542300x8000000000000000519161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:21.923{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C2E4B6BA3969B615C65F91676F7DF1,SHA256=4164F360A5E93E309112A96D144529B045011D216784A0A1CA5F22B3FA56FE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.937{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.935{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.931{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.927{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.924{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.918{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.917{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.912{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.909{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.907{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.906{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.877{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.872{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.861{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.857{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.850{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.843{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.837{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.828{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.822{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.815{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.808{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.781{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.778{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 23542300x8000000000000000754810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.495{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6C2F03B9BBDD8E635FDB5092AE94E3,SHA256=F039FB95ADC6CD1BBFC32E6A6C1AC4E604458316DC23922A66BABF1E09E16F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:20.106{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.463{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:21.405{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e208-0x24e57143) 23542300x8000000000000000754807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.166{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=385112AD88F92C90415D23152054F127,SHA256=39E09843969B4219252B5F168210CABF0D2B2AB6127BD1F265FD3FC7F26E5205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:22.968{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4702C9E85FC4789262581FBD7BDD9A8,SHA256=1A6692BE94B6B09D8AC210F44E7A3420C1F550532628DA42ECBA8827DEC857F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:21.621{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000754838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:22.622{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F407AB6107351BE3F324148F4747F84,SHA256=3BDEA257E63EA2C7C3DAF50CC46DF05E59ACDF53E4E1A0DEE001C1B416DFF717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:22.243{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:22.241{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 13241300x8000000000000000754835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:22.240{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager\PreferencesBinary Data 10341000x8000000000000000754868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.825{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.825{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.784{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.782{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.782{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.781{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.645{A78D3DEB-1BC3-634D-EE00-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000754855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:23.641{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8892A7BD7C666D6334AC7156F5F6D96,SHA256=2A82AF364D8CB15BA65B9FB712ED709DE76D29B2E51C86E5D963FB9ADD582D9C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.253{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000754853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.253{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{923QQ477-5846-686O-N659-0SPPQ73851N8}Binary Data 13241300x8000000000000000754852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x8000000000000000754851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x8000000000000000754850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:1473079808,HighDateTime:30948602***Binary mof compiled successfully 13241300x8000000000000000754849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000754848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x8000000000000000754847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000754846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x8000000000000000754845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x8000000000000000754844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x8000000000000000754843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:2060133003,HighDateTime:30956657***Binary mof compiled successfully 13241300x8000000000000000754842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:750188612,HighDateTime:30969326***Binary mof compiled successfully 12241200x8000000000000000754841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x8000000000000000754840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:23.235{A78D3DEB-1B6C-634D-DE00-000000008502}3792\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 10341000x8000000000000000754887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.775{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.773{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.769{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.769{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.767{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.766{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.764{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.746{A78D3DEB-1BC4-634D-EF00-000000008502}49922860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.700{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1DA339518188FE9152EEF23EC97D56,SHA256=27A9DF5F76096C844B5161E65400D563F8BB1A5CC892ED76298FAD659FF90189,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.589{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC4-634D-EF00-000000008502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.587{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.587{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.587{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.586{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.586{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1BC4-634D-EF00-000000008502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.586{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC4-634D-EF00-000000008502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.450{A78D3DEB-1BC4-634D-EF00-000000008502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000754870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.261{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.260{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 23542300x8000000000000000519163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:24.047{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929198E0309EBCE77276C53435DF3D23,SHA256=A5E5F700EFCD61CE3E61443996230E2C3635E271B941F738D0FD8E004763D74C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.174{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57787-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000754913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:24.174{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57787-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000754912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.748{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF4562A1691BCF480E0D7012857B06F,SHA256=A9FC243E5453FE6DFFB5008A300B29F9F40712B61AEEAB8CC0FE0DAE1CD410D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:25.237{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9673B40EB9903BD9C48FFC217AD78E,SHA256=9EEADCFDA398CCB90E6A41BFF1BB697A8A2509AE558C794A7D4823EAEB376F2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.401{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC5-634D-F000-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.399{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.399{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.399{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.399{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.399{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1BC5-634D-F000-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.398{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC5-634D-F000-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.229{A78D3DEB-1BC5-634D-F000-000000008502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000754903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.252{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.251{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.251{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.250{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.249{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.248{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.247{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.245{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.237{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.229{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.202{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.196{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.188{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.184{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 10341000x8000000000000000754889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.183{A78D3DEB-1AF5-634D-9E00-000000008502}54844308C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001B421150) 23542300x8000000000000000754888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.021{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B30B83E55FDC99457CEFF0B99FA5A226,SHA256=AE5754C971B6777430CFAFF46A512DB567911BEE06FAC2D5F18E66B069C288A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:25.208{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000754919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.837{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C713239EDE903215AE0E6BB8E61E29A7,SHA256=E5EBBCC2B7B95CDFB2B9E84DA37C8A1BFA135273DE182C6EFF12E10003CB132C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.414{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.414{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000754916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.412{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000754915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.250{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F82A440E26DDF1312174D6B9E2B6B9B,SHA256=B3F364E27D24DFF9BC659B4B511AA66D623DCD2FFA3339BBF142BAC84181E5E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:25.143{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:26.432{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5A0FDBF68F93BE1B0AE77E5738246E,SHA256=69C030BF2558503ADC992D67E3226439F7D1453A697D5ABF640F36360182D539,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.581{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57791-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000754952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.581{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57791-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000754951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.580{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57790-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000754950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.580{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57790-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000754949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.569{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57789-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000754948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.569{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57789-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000519167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:27.519{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C88A465BD8800616DC7A90600F06A8,SHA256=76F9DFA7E4C784796C5DB8E6549523EEEBDC53A61810BCB4D0AD18C20FB14FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.711{A78D3DEB-1BC7-634D-F200-000000008502}47765432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.547{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC7-634D-F200-000000008502}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.545{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.545{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.545{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.545{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.544{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1BC7-634D-F200-000000008502}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.544{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC7-634D-F200-000000008502}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.544{A78D3DEB-1BC7-634D-F200-000000008502}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000754938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:27.275{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C27913A6-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C27913A6-0000-0000-0000-100000000000.XML 23542300x8000000000000000754937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.275{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=F5A82B78E353A185380904A6BFC86725,SHA256=D7BD99484F39E883220D1057B4FAA4D6DE9D9B48B5F89312AC7881E904A8D6B1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000754936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:27.259{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E7B3DA44-2668-42CA-9EED-B2CF1DE02E29\Config SourceDWORD (0x00000001) 13241300x8000000000000000754935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:27.259{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E7B3DA44-2668-42CA-9EED-B2CF1DE02E29\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E7B3DA44-2668-42CA-9EED-B2CF1DE02E29.XML 10341000x8000000000000000754934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.259{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.243{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.243{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.243{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.243{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.196{A78D3DEB-1BC6-634D-F100-000000008502}56805972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC6-634D-F100-000000008502}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1BC6-634D-F100-000000008502}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.057{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC6-634D-F100-000000008502}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.925{A78D3DEB-1BC6-634D-F100-000000008502}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000754976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.979{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.921{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DDE03EE08C64428E880CF15F4C9DF0,SHA256=FEEB61BDC8FE50E4DE7874426B0CEF12A2AFBFEF6DE21A71BD80ED59BF1B53DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000754974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.416{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57792-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000754973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:27.416{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57792-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000519168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:28.612{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDB2B86691250DFCDF3A3440A6280E3,SHA256=44649D33EBD6483C9B451F2AC60ECF6C4D897B15AD996A7F224C265E80BE322F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.379{A78D3DEB-1BC8-634D-F300-000000008502}59885792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.210{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BC8-634D-F300-000000008502}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.208{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.208{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.208{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.208{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.207{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1BC8-634D-F300-000000008502}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.207{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BC8-634D-F300-000000008502}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.065{A78D3DEB-1BC8-634D-F300-000000008502}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000754963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.193{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=9DFD021D3B7F2E1B99B3C7F441795A97,SHA256=461113882C24D0612229232AD8D01EA37941EB286E3AA93EE30F3382848ABDE5,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000754962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:09:28.150{A78D3DEB-1A89-634D-2800-000000008502}2600\Winsock2\CatalogChangeListener-a28-0C:\Windows\system32\DFSRs.exe 10341000x8000000000000000754961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.149{A78D3DEB-1A7C-634D-1200-000000008502}4481128C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000754960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.122{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.121{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.102{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.099{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.099{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000754955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:26.415{A78D3DEB-1A89-634D-2800-000000008502}2600win-dc-ctus-attack-range-801.attackrange.local0fe80::7952:f0aa:bbbd:6ad5;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 23542300x8000000000000000754954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.065{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D9C78B8664922BE70215E7972439BF,SHA256=5B10DE845C63C44205F0BECA5B4304180B4284FAF3A18BE1DACE1362F892C369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.981{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.981{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000754985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.938{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1DEFFD0AFAACEF4EDE91DC38AD20D8,SHA256=5C613337170488391ABCB724D2D93A2A8A7577E7B3A26E48769A9D3B5B7A72EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.930{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000754983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.269{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57793-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000754982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:28.269{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57793-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000519169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:29.697{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E393292E6A4991A95874CB731DBCAFD7,SHA256=0BA7B0EABB0FCC8411BB1DB5AB999738267F77214B5EC312E9AADF4E091C20FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.810{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.806{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.806{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000754978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:29.104{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\DFSR Replicated Folder {88596FCE-7C89-4377-A599-0C5D79A271E2}-{8491A145-9769-4BB1-9031-0D7C0C73D251}Binary Data 23542300x8000000000000000754977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.030{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1FEBE0A6402C42D30006745B932C38C5,SHA256=11425D670E79A659542CFA6003DDF3F87D2905155B354D6F2EECE86C8DD4F583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.971{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266BB512AA2BAF6E403CB2C73889B221,SHA256=C8AE21103A1E1F72869899B122C34E425CFC61B7BC9D0F09508CDE1865436968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000755002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.975{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57796-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.975{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57796-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.148{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57795-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000754999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:29.148{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57795-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000519170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:30.893{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D565F772D04000F3F27C12E61D1E4D83,SHA256=4329A56433A10B4B8D66DB33CB88790817A904B4DF14468581FFBC3EA09BFB63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000754998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.771{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.763{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.763{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.076{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BCA-634D-F400-000000008502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.074{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.074{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.073{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.073{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.073{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1BCA-634D-F400-000000008502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000754989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.073{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BCA-634D-F400-000000008502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000754988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.073{A78D3DEB-1BCA-634D-F400-000000008502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000755008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:31.884{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8437A61244AF5A0995D3775C5345B887,SHA256=92A3503DD66736E66902CD7B504E7D7601E77514F001287CAB7C388C89603DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000755007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.933{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57798-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.933{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57798-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000519171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:31.970{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAB333B1B88CEFB7460BDA1E824B13C,SHA256=5788FA68072C5922BBC051FA14BEF087BA173F975B867E587A3EC8EA731C923C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000755005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.101{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57797-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:30.101{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57797-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000755009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:32.993{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78FA8934E80579BA0F71F2F7D269E53,SHA256=37D9A41FE90B00C6A5545CF7F09DEF494B3D2440E8800FD0479EC3B6DBCCD75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:31.065{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000755010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:31.187{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:33.177{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B175319486E9A11D31CF59918C9134,SHA256=DFCF6EA1FD08A392AD080F7B1541905C1851FB29B5BD997C0273263191307E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:34.121{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD67A7EA2BD3F4AA85218FB938E2146,SHA256=3691368FCB7A94C02CE3C41A33D9FB9B73C4750F046C845E72A2AC9A33272035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BCE-634D-9A00-000000008502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BCE-634D-9A00-000000008502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.956{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BCE-634D-9A00-000000008502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.957{5C0BDE06-1BCE-634D-9A00-000000008502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000519187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.290{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BCE-634D-9900-000000008502}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.288{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.288{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.288{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BCE-634D-9900-000000008502}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.288{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BCE-634D-9900-000000008502}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.288{5C0BDE06-1BCE-634D-9900-000000008502}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:34.272{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD3599F40CCDA4CA6B1BD149CE1A3B,SHA256=06316698DA6186E2B79C8054F97418F59ADAC9B83F0CBAD4ED200358582071F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:35.233{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4998EB42C44C2A5D174595F8D829EEF9,SHA256=CF7106BBE1BFD2A59996F6243101AB6B02C37EA27A9A9AC90BFFCD6CC2F0EDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.469{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BCF-634D-9B00-000000008502}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.468{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.466{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.466{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BCF-634D-9B00-000000008502}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.466{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BCF-634D-9B00-000000008502}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.466{5C0BDE06-1BCF-634D-9B00-000000008502}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.458{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C38525E3B2C37A4645C7EF82FAE84094,SHA256=53B83AB80D06FD3AEDDE6FB2FA5B16E7AA5A886ACA914D62E75AE2247CF09F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.447{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B332A4E27FD1E1BEA5FA868BB2DADAD,SHA256=D5FBC71548EE32A7F6613164A4EB5C5272C4026AECAF9F0A0219D0D62D350B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.373{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0863B7C3B69A6EE47027C21A3A7CFFAA,SHA256=91C9F5D6DD506D1AA188EB6CD929FA5D9EABE6FF8C47EEE9763D670554444418,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:35.191{5C0BDE06-1BCE-634D-9A00-000000008502}23683324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:36.369{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C3B58A95B8592E90CCA22FB0316F5A,SHA256=D62B65B45902D60F1CD86ADAE3D50B761FA6CEBB99589B11C7190780D38D2AF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BD0-634D-9D00-000000008502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BD0-634D-9D00-000000008502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.815{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BD0-634D-9D00-000000008502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.816{5C0BDE06-1BD0-634D-9D00-000000008502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.535{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E489DDC2AE299AD3AF50EBCCAEE129,SHA256=9E70C4ECED104B75006DDF25D1762CCD56053C6DCFF7C02ABB2B98648B85031C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.425{5C0BDE06-1BD0-634D-9C00-000000008502}32723196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BD0-634D-9C00-000000008502}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1BD0-634D-9C00-000000008502}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.143{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BD0-634D-9C00-000000008502}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:36.144{5C0BDE06-1BD0-634D-9C00-000000008502}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000755014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:37.399{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDBB5498AE8C0AEB473C86E131836C1,SHA256=F8CD751BA41976BB9851A0B2D83976B00863CC2EB3762DA666DB72999CABEA24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.706{5C0BDE06-1BD1-634D-9E00-000000008502}29643808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.490{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BD1-634D-9E00-000000008502}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.489{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.489{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.488{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.488{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.488{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.488{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.488{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.485{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.483{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.483{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BD1-634D-9E00-000000008502}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.483{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BD1-634D-9E00-000000008502}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.483{5C0BDE06-1BD1-634D-9E00-000000008502}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.465{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C15B77C7F1F87841F10128ED94BA95,SHA256=42EB9D2B07F22BDF883970B0C76E3393D13835176FECB16C275EE3D8C74DC10B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.034{5C0BDE06-1BD0-634D-9D00-000000008502}34323816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:38.413{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8400C8CA0C9A38E06C9C4257FD36BAB4,SHA256=8A580BCB8C1E0AEACD0048566017912B09E3030787B59D5BB78A99105B7D84C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.971{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4EF98A7554ACEE91C2F500C9E0B9F4,SHA256=7594755F527E07AE39EDEBE4C4EA27836713B363EA1949E260193EA4DA5D6F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.552{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DEFAFD8DED35A523BD12336F1F61E055,SHA256=E6C50FC825B23EF4FF2849B63F4A6EE23363F3DB46912A99DB97A0A61636B36C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:37.018{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000755015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:36.404{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57800-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000519274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1BD2-634D-9F00-000000008502}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1BD2-634D-9F00-000000008502}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1BD2-634D-9F00-000000008502}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.159{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:38.160{5C0BDE06-1BD2-634D-9F00-000000008502}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000755017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:39.546{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA53A913CBAAD453368D5AA02E8149,SHA256=7BB2446A645C4E302B00F861DF9CA1EDC489EE289FEC92B3AD26975AC98A2CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:39.643{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0302B5AFD28E38F0DDD200C54D2174A2,SHA256=83083BC5A353F8E468AF09288F48267B0B6099243C3D79BAC1E5B842944BB0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:40.569{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB32351C713B46A6C1224CC698B60F7,SHA256=4B514FEC1F4837C0CD65A4619CA475C2B41F27DB72FB558281E4BB5F76902DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.721{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E061F18EA7DA8ABDF9D5807CE48ED860,SHA256=8A1ACD85F89847ABD6B1E9A44718081D13BD9523E4E9FD0A4BC25E5D9ACC1BA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.703{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.700{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.697{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.692{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.690{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.686{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.683{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.676{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.674{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.667{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.662{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.660{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.655{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.633{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.628{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.616{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.613{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.592{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.546{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.529{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.517{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.506{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.499{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.492{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.478{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.469{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.462{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.450{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.438{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:40.435{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000755045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.923{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.918{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.912{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.905{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.902{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.901{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.899{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.869{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.853{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.848{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.842{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.835{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.829{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.821{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.815{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.808{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.802{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000755023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.801{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06B2BD466E87FA53A212ACC0D5700F7,SHA256=C86AD5E1FD1C75052041A8C08B363BA0B511E322573C393D8317F3CC01D55183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.772{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000519310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:41.711{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DDD30F3FDF17E997171DEAF0C83FEE,SHA256=568E8EB4E82316114A8B5558F1BDCE81D8EC747F4E1C9A1D3E696914A49EC3BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.666{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:41.666{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.971{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510039D6FE2DA5917DCBC6D88007BE60,SHA256=00A89926E02A3ABCCCC33A70DA958FBCC7A33F36DD1A6C6E0E80D885C51BACBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.827{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1de5f|C:\Windows\system32\taskmgr.exe+1d350|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.825{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.825{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.823{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:42.916{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519672534E53FCEB468DFEC630E5A5E0,SHA256=59E505297CBB6EB808668F11D970A6BA4F4E55EEB0B0ED166727F0F879944F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.599{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.598{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.486{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.486{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.485{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.485{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.485{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000755050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.484{A78D3DEB-1BB3-634D-EC00-000000008502}57564348C:\Windows\SysWOW64\regsvr32.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|D:\7533.dll+c020(wow64)|D:\7533.dll+db3b(wow64)|D:\7533.dll+6319(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000755049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.416{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\SysWOW64\explorer.exeD:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=1A3B0FF3E223494347622890CB313A50,SHA256=D715B4B742913367F54A47C3747AA312C7B938B56BD3A24E5E33E1E91FA03937,IMPHASH=027A05A63341529EA0932E72FEFFFCF0{A78D3DEB-1BB3-634D-EC00-000000008502}5756C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe 7533.dll 10341000x8000000000000000755048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.416{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.186{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.183{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000519313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:43.992{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C3D0539E5F6474B7AAFD5CB9BA7F2A,SHA256=CFA8CCDB0669047F36C7A11C46FD67A3864DDEF00E57CA2220DF41DE1B780C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:43.842{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C180C5FC3E1713FBEA1BC59C83740D7,SHA256=DE3903A8DE6FE1944AF45331B92218F9687BB6AA19A05CE1288172F59C008753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:43.420{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48CC38F5F602E59881275EEAEFF33DC,SHA256=07ED4ADBE80CCD5E112D64203A9E65373C0B3EE142BC917B1C3592386768C899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:43.015{A78D3DEB-1A7C-634D-1600-000000008502}1236NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=89B5A960D8A34C114061E5AE856B5050,SHA256=DB27C5E38661773F67F58A4CEA25C299558F49BD5ED575A7976CD1367D78D673,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000755066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:43.000{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup\LastActiveTimeBinary Data 354300x8000000000000000519312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:42.258{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49765-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000755099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.799{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.798{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.798{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.797{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.795{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.794{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.791{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.781{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.771{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.743{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.738{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.729{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.723{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.721{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.719{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.716{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.712{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.711{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.709{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.708{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.706{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 12241200x8000000000000000755078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:44.627{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe\REGISTRY\A\{80dea106-95e6-68e4-a526-9685e5072dc2}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000755077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:44.627{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe\REGISTRY\A\{80dea106-95e6-68e4-a526-9685e5072dc2}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x8000000000000000755076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:09:44.627{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe\REGISTRY\A\{80dea106-95e6-68e4-a526-9685e5072dc2}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000755075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:44.627{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe\REGISTRY\A\{80dea106-95e6-68e4-a526-9685e5072dc2}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 13241300x8000000000000000755074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:44.627{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=7D8772 calc.exeBinary Data 10341000x8000000000000000755073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.190{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000755072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.189{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 354300x8000000000000000755071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:42.391{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000755070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:44.008{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A77B27C38CEED73CB10FC5998190259C,SHA256=CF79CE0A454370EFF58ABBC671A4A83FB38BCB3E0494828914246C963AE6A0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:45.051{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DB579E05EB363F8A7F2C7BE777EAC663,SHA256=F98616FF6CD7D35BD361A7184644EB46D190DC00B00307DBCF91A1C04C8980D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:45.031{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C29F1C85CC124F17423B11D69ECCE58,SHA256=A50A7D832D5A5CA1CA6547C6F2CF9B1B4FF3319835CEA1658EE235CAFA90FDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:45.289{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886B26311DF5010766F4364C9EA8A494,SHA256=11E7502E17A31A4813BFA899089781693C6675DAF6D9D0FA13151C2E2892A512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:46.385{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B735E57173270C6E1D84382839ED6EA,SHA256=B52F0C2887A4FD7B64C8EAF4E046D4C2E965A9F5A7C42A7D8D63A0C81C2875C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.546{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000755107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.546{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000755106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.546{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000755105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000755104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000755103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.461{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000755102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:46.083{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1BCB78A955D5BA0703A90BE5867E65,SHA256=C567DE674E789A628B2C66A8478E33BA555AE1B00B3C3B84D6D7D104FCE882D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:47.580{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA42F10ABB228D36DDE6A3398D6A60F3,SHA256=47971D52C5C4FC52430B2365D2070B9CF7704D3FD8FDC9349629F472F2516DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:47.108{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9816741D7FB07F962FF2807742ACC0C,SHA256=B732EEA78E69779ADDD79D2A3EF103F73A398132E312850EDD894C21B1CCE0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:48.673{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C9EF0993FBD1C7A42706141BF00AF,SHA256=845074637512F91C48EBDF0CC20EDF11D7CC1053F9C825B8D90D058D178D50E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:48.200{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C54BC70C6A1AE029F3A3CADAB08315,SHA256=D447C44BE5CC25510705568F8C75DD3BE083FDD91044545A1EB52622EE8D41B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:48.146{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:49.764{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13351BCB8C8E8FDA89AAB6A6B0C1F183,SHA256=FA141C737C88A177D246EEECCB4BB8CE1B95C254648230647980A60CE41B074B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:49.286{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E3B5FC5E32B2E3B184608B144756DF,SHA256=AF5E7DA6B41606BDC3CE7D1194FDDD0C161AC2F75FB0747B0DDDB786B7DB7FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:50.862{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4460627A365A7B692BB783D5AAADDB3,SHA256=0291E2F02F9F700D47DDA32CEA3E91442823E01CFE92DB85BE55853845E54D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:50.360{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDE7E701699B42C12D269C9C8083EDA,SHA256=510BEC5BD7430ED2041FE302FC47AF9D9908D9B28187940ECBDFE26FDFA394A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000755112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:48.317{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000755114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:51.448{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BFB34B870BEBBBC446625CF4FB1B1D,SHA256=12524DCE83DFD1992CECA671712044B02FF1F9199383A6C0E8E904A9C0A82856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:52.524{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA6B817A0444A23E564182344B5516E,SHA256=94B3FA62F16C97F3D647F3C266FEADFF994B896DAC4CAD9EED9DD43116F2816E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:52.059{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4AAC3A434B284F8F368FD8236FAFAF,SHA256=5813E57E1B453D910BC03849FF8239EDFC8FD7B5148E9CF0EE1A93A5CB250D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:53.611{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F870DCD227216C8BFF3A578338BFBEE,SHA256=E8352CC7065BD2C6E382B7B29936D07D1594D46A281ECFF5983B28CC73920B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:53.149{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A8A7DD1670AFF777455EEFA2737C75,SHA256=66AB3A54452F329789B0E499A2C57FA74D409C4E0830FAEF2CD8C723C7AECD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:53.149{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=372FB860FE042A380909692AD480FBA1,SHA256=FAEA8CC3FD80EBCE8D4D3E95596DD348189991199C0089479218D5B75E527A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:54.685{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140F26FACBA27EC623625E4307406335,SHA256=296F32834FA1FFD0E246D222EECB605A12DBBFA57BE46E38BCAB110283475F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:54.237{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03687BE7AA8F5B4EE7F2034ACE7D328,SHA256=156BA2E5308D7AF4D722CFB8221804B75D07F10B28034EB37D7C27512C92B9EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:53.243{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:55.322{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B237D1AB5FB9B1F228344A6B0BC88E,SHA256=18AEAC0FC4A01F48EC9A11FF1B4EC1BFB2333DA26A0CA5EBBE369201608BBC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.896{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+5759c|C:\Windows\system32\taskmgr.exe+3a9ba|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000755409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.709{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d1df64a706c36c\fa0aa3c3\LanguageListBinary Data 10341000x8000000000000000755408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.709{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000755406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d1df64a706c36c\fa0aa3c3\LanguageListBinary Data 13241300x8000000000000000755405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d1df64a706c36c\fa0aa3c3\LanguageListBinary Data 10341000x8000000000000000755404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+5759c|C:\Windows\system32\taskmgr.exe+3a9ba|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000755395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}Windows Shell Experience 13241300x8000000000000000755394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.693{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\LanguageListBinary Data 10341000x8000000000000000755393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000755391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\LanguageListBinary Data 13241300x8000000000000000755390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d401e4b45e1201\fa0aa3c3\LanguageListBinary Data 10341000x8000000000000000755389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+5759c|C:\Windows\system32\taskmgr.exe+3a9ba|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+5759c|C:\Windows\system32\taskmgr.exe+3a9ba|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.678{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.662{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.646{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.631{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.615{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+631df|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000755119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:53.368{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000755118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:55.086{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=564DED60298448E5DD1A011058B0688D,SHA256=EF0D11B8FF1FB65CA46AF1AACF48420B79C51C00566F8D90AAC56454CBD87621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.899{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.728{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3552613743CDD91327E78849F631C0,SHA256=34500F078BCAAA00627F9B21FB853E6509E47001B07F6E4C3885B823D39F8EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:56.521{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABC3939816BC47F5ABE460EF27FF296,SHA256=EB6CB3515EF0A45D47AA8A4E9DD4452AF8A9D9F7D9137435C0AF05D0326802F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.196{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB05B6EC737F98064FBCF03CAD935F4,SHA256=2BB2C86B2F89EE0E6E31736B816BEF1E778B9CDD86A11164BEE1B09F56B76E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.181{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40DF1AA383993AD13F9DF094DF5EE06,SHA256=D5672A057EE9C7C961C6F448B372F07B4A63874090E5F06FA22A51368DE279CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:56.083{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=69F3B03FC1AA679B46DA6954E9E6A5FE,SHA256=5B6C6494949AEE6300B82FF4358542811B3E455AEBD1F5DBE20AD56F5ECEDD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.934{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CB8F7594D256715B0F33B6A9FA5E67,SHA256=CBF826820D5C909C08FA7034AF47E7D6B6CEFF929C323E7FDD4F969DBE1A3137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:57.918{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:57.846{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D680766E860AD48A7C47A8BF6358A1F7,SHA256=69FEC60F99B09A4D00A1D9FD23726A22F461623CFF63BCD6BAA2D6443200306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:57.611{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6FA5EE5099347C6FB3A178D94B73A9,SHA256=07C42BF105F265223C2A6A530E03CDBA0D664EAFEA2CF922161E34EBE46557A4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000755588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:57.124{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\IdentityCRL\ThrottleCache\S-1-5-18_{DF60E2DF-88AD-4526-AE21-83D130EF0F68}\ThrottleStartedTimeQWORD (0x01d8e207-0xced83238) 13241300x8000000000000000755587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:57.124{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\IdentityCRL\ThrottleCache\S-1-5-18_{DF60E2DF-88AD-4526-AE21-83D130EF0F68}\ThrottleCountDWORD (0x00000001) 13241300x8000000000000000755586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:57.124{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\IdentityCRL\ThrottleCache\S-1-5-21-2101601273-3326142395-4157521269-500_{DF60E2DF-88AD-4526-AE21-83D130EF0F68}\ThrottleStartedTimeQWORD (0x01d8e207-0xc8b86fc2) 13241300x8000000000000000755585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:09:57.124{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\IdentityCRL\ThrottleCache\S-1-5-21-2101601273-3326142395-4157521269-500_{DF60E2DF-88AD-4526-AE21-83D130EF0F68}\ThrottleCountDWORD (0x00000001) 10341000x8000000000000000755704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.937{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:58.692{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D43B352B53C33FF981EA2ED5CCFE953,SHA256=B54E3062AF484EE169EB33FEF2CBA08B4FC97FE3020DD1B6CC0290D3CD027804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:58.187{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BA147A61312A71C0F2AA8C3CC99FB6D8,SHA256=BEEC78CC0F18B6C160D54610EBBC45B8027BDA36EE11AAD0AEB6009804CF912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:59.780{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBA664A9919D0458BE13EA8464C0579,SHA256=6236ACE53B3D950DE51FFAF4C3EAAEEE1BB9CAADE32925D51FD4766168ECBEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.955{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.393{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF744508D40A51893C56761B7FAD296,SHA256=974E6D9C886EB2BBE082B98118C34E70E8E01C71DB5FF28EEEBCE55F87FF7871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.954{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.766{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DF154A96623B88564D30758FF736FC,SHA256=6B96202500EBA47CF8C06AFACD3E73C3001F24224FF59299D11902FF318F6653,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000755782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000755781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000755780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000755779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8e208) 13241300x8000000000000000755778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x3c51df6a) 13241300x8000000000000000755777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8e208) 13241300x8000000000000000755776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x3c3ecbd8) 13241300x8000000000000000755775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000755774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000755773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000755772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000755771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.704{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000755770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.688{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000519361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.754{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.749{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.745{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.737{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.735{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.731{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.729{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.725{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.721{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.716{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.710{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.707{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.699{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.676{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.670{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.648{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.645{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.622{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.570{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.555{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.541{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.521{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.509{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.503{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.498{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.488{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.473{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.459{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.444{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 10341000x8000000000000000519332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:00.439{5C0BDE06-1A79-634D-1E00-000000008502}19402764C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018AE0190) 13241300x8000000000000000755769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.688{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 354300x8000000000000000755768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:09:59.339{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000755767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.579{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000755766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.579{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000755765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:00.579{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-801.attackrange.local 10341000x8000000000000000755764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.579{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.548{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4BADE0F48F800FD4E70D22F91D2372,SHA256=79157A90FCEDF87C0C2857A1C74A6A2434C00A56B8996C536F9D66824D70F8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.963{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.961{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.956{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.953{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.948{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.947{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.946{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.945{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.944{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.944{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.944{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.940{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.938{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.932{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.929{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.927{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.925{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.895{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.890{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.879{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.874{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.867{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.858{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.852{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.843{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.837{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.829{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.822{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.785{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.781{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 23542300x8000000000000000755844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.724{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3FCE9CDF0B27FAC53CBE74216072365,SHA256=7D316D36A5C5D44BB8EC5F2551E1CA21965F3F8639BB78451D5050A68AB5741B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000755843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.763{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57805-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.763{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57805-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000755841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:01.120{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7497AFA27BAA4575B5BFEEB178011C67,SHA256=B0D0750A8109F0700C8A6072F8D40D6E1A2BA207F61A0BD1EA5FC9C1B77E0D92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:09:59.177{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:01.218{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53C77F69EB51436AF37A7C23F1473FE,SHA256=82A3C5FBBFBE642795F14A96FEB7895D9F633C41231B2A4A3CABAFC672F7CAF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000755990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.968{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000755933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57807-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000755932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local57807-truefe80:0:0:0:7952:f0aa:bbbd:6ad5win-dc-ctus-attack-range-801.attackrange.local445microsoft-ds 354300x8000000000000000755931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.774{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57806-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000755930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:00.774{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57806-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local389ldap 10341000x8000000000000000755929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.322{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000755928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.320{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 23542300x8000000000000000755927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.197{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92CE5F8C4EA11C3097148A897C79CA,SHA256=A7866C9149C0CA4FD1377249316C9C94D54F01DC6BCE4C5AAD299409F046F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000755926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:02.166{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0EA2FEAEE1A1A000F322AA3608190B,SHA256=47200A886161A87240F03D49969477E114C4CAD0D237E7E0F7333F508106AC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:02.297{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACC592D566897C2472F699BD13368C8,SHA256=C4E2F0523749BEA4D4994D4C17F880CB26354AED44FC4B4DF802F2B834587352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:03.737{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-005MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:03.672{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:03.394{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6230AFF40C0D5BACDDEA628221142C6,SHA256=9CC1B6A04F08FE5628363DE2E6E08C88A6512E6B6E05F2E00DD7F71B4B297533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.973{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000755991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:03.771{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D60110DEB62210536E357FC96A09E,SHA256=2AC5455B21B025F1B7D43031E332355B4AEFF353CB606375564E25F51C67FCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:03.241{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=09AA2972BA4C4B83CE004AD815AEA288,SHA256=7FE954C9678D41E724D04FF4D0B67453B0FEA7E85B70A21F65D4F2C5032AEEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:04.737{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:04.501{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073F064A3AE05C171C3AF333BA8BE6BB,SHA256=5B835E87BFEC782C260ABBD1C179BC77AD1DB828BE32CF17F8BA005DE00AE61B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.986{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.985{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.984{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C31167EF6B9389D8A10C86FC6EDECF,SHA256=EA1A1BE68804BAEFEE9B8EEF817F4CD7C3BE948813DBF0D236D0F744CE02A0CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.983{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.981{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.978{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.965{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.952{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.919{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.918{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.917{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.916{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.915{A78D3DEB-1A7B-634D-0D00-000000008502}908928C:\Windows\system32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.912{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.893{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.882{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.879{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.877{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.874{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.870{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.868{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.866{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.865{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.861{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 23542300x8000000000000000756057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.826{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCC11C72182336A8BA989E93E0DB8BB,SHA256=33B35EB0CDA240EFF767FBB817F7238E6DCF140A351AC7F8F1BF3C1C5A56C11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000756056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.372{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3F6F20C549625715808BBEEFDA09C6,SHA256=D2F9904AA845FDEF72156C1FC4EFF45FCCBF745749361727446554F48EBEA0E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.354{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.352{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 23542300x8000000000000000756053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.227{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=37C9B7DAA855C28168E8F1B242566ADB,SHA256=FF854BB22C6CE37D5110B456FE47AA7F924B20583FB8E5E8246FD1E61621034C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.179{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.178{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.163{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.948{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E46E9C482C86F1732E84C021CD766DB,SHA256=2810BBD5BAD4A11522D37FE07F5FE1DCFEDB56DF50B9562DEEF530DB37A0359A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:04.191{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:05.699{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78C03D4EBD69171239C6B7C47E9723A,SHA256=51C95B6BE84AC39DEFCC07C7437D02803A7766386EB59E3769AC83CE46BAC7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000756182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.121{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9670ED94635349F9032DFF4A03C023CC,SHA256=21596E03F22D8D3754DA63553124917AD8101CEC607E030F5B6BE24097BD1A1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1AF5-634D-9E00-000000008502}54843356C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001535B390) 10341000x8000000000000000756167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:04.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:06.790{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A821B561473C94A71056F4352C867A,SHA256=90A9CA359FB11D29182FA2B3B6BD6DB00232F5843AD6B2FF0805B4DF6D72F141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:07.872{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B559716E3A8805FC7881E3DD8CB073,SHA256=66E25DC9A0AB3E4DB2F93DC86F97C82931E108F7239524AADF411853AC01B7F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000756299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:05.337{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000756298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.334{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FB40297A2C3D7B457E2382C1D8773E,SHA256=E88C85A7323EE7EE790967BE455408A6613A60727E64D825B4E0FD32C8725AEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:06.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:08.971{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF069636A209A098EFB19302254700C6,SHA256=65453D5625E1F8C74516C677F8B74D0D5F482D7D4B5F19B8732B97CB26ED4DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:08.877{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9292FD903511979675078840342E2007,SHA256=FF82C2135F1972BBD487A5A975C65457FC6901AE53B83164A9A8843FA7CF38E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000756357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.468{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ADC241CA29308266B4CBD025BC1CD5,SHA256=BC7E5414661BA3F947B5F4AFB4B4504FD080C210F0DECF9E6BE66EA0E152F83A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:07.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.605{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195B6F677008B8AD3F550B4B2B1003CE,SHA256=03EDB408A8C04BA1D704C86CC85EAC28834F7C4367B6DD76722785F5604ABE97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:08.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000756478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.912{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57809-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local135epmap 354300x8000000000000000756477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.912{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57809-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local135epmap 23542300x8000000000000000756476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.729{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89FEB3D60B52852395A5297F78404CD,SHA256=66350FC6DD4BB38569B39E6805E67AA0049538BF5D71F9598277C95F7B40BD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:10.052{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6520DB3ED9AC3BAA2971653BB3E0EB,SHA256=695852233D50D47E0BA5D3BEB8D6AC6850C1547DC3F0B149BC6C9570DE297516,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000756475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:10.338{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000756474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:10.338{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{923QQ477-5846-686O-N659-0SPPQ73851N8}Binary Data 13241300x8000000000000000756473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:10.323{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 10341000x8000000000000000756472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:09.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:11.137{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A7EDB35ACD684EAA474E3E7DA62CAC,SHA256=3CC4D29F12E6246E2CC61F58792EF44839A01CD8DA40B3ED7AC6307DAF2CB4DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.864{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.864{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.864{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5168D7C8685BA9629F908FEA3CF255D3,SHA256=E04D324E11537DE1D26997B2AA688911E62046830CE8142CB57404956730CAA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000756599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1BF3-634D-F600-000000008502}53365768D:\calc.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|D:\WindowsCodecs.dll+11b0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eeb6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52e6b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+2f106(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3e30b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3aee4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+5362f(wow64)|C:\Windows\System32\KERNELBASE.dll+c7268(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ad6(wow64) 154100x8000000000000000756598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.821{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\SysWOW64\regsvr32.exe 7533.dllD:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe"D:\calc.exe" 10341000x8000000000000000756597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.817{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000756596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:11.786{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{56A7EA89-598E-405D-A397-ED78D7A00DF8}\LaunchCountDWORD (0x00000002) 13241300x8000000000000000756595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:11.786{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{56A7EA89-598E-405D-A397-ED78D7A00DF8}\LastAccessedTimeQWORD (0x01d8e208-0x42eccaa0) 13241300x8000000000000000756594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:11.786{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000756593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:11.786{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\pnyp.rkrBinary Data 10341000x8000000000000000756592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.786{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.786{A78D3DEB-1A7C-634D-1000-000000008502}81588C:\Windows\System32\svchost.exe{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.786{A78D3DEB-1A7C-634D-1000-000000008502}81588C:\Windows\System32\svchost.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000756589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.813{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64652- 354300x8000000000000000756588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.812{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60444- 354300x8000000000000000756587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.811{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50753- 354300x8000000000000000756586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.809{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50904- 354300x8000000000000000756585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.808{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local65427- 354300x8000000000000000756584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.807{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49551- 354300x8000000000000000756583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.805{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58477- 354300x8000000000000000756582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.805{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49654- 354300x8000000000000000756581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.803{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49513- 354300x8000000000000000756580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.803{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59648- 354300x8000000000000000756579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.802{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local64543- 354300x8000000000000000756578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.801{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62418- 354300x8000000000000000756577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.800{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50749- 354300x8000000000000000756576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.798{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58673- 354300x8000000000000000756575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.798{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57803- 354300x8000000000000000756574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.797{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local65069- 354300x8000000000000000756573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.796{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60985- 354300x8000000000000000756572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.795{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local65248- 354300x8000000000000000756571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.795{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49249- 354300x8000000000000000756570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.794{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57798- 354300x8000000000000000756569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.793{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56502- 354300x8000000000000000756568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.792{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57822- 354300x8000000000000000756567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.791{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56110- 354300x8000000000000000756566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.790{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local56646- 354300x8000000000000000756565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.789{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local59917- 354300x8000000000000000756564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.788{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58455- 354300x8000000000000000756563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.786{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56172- 354300x8000000000000000756562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.784{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62394- 354300x8000000000000000756561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.783{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58403- 354300x8000000000000000756560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.783{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60045- 354300x8000000000000000756559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.781{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64502- 354300x8000000000000000756558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.779{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local60331- 354300x8000000000000000756557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.778{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local56570- 354300x8000000000000000756556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.777{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local61701- 354300x8000000000000000756555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.777{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49178- 354300x8000000000000000756554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.775{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local62946- 354300x8000000000000000756553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.775{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local62558- 354300x8000000000000000756552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.773{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local58053- 354300x8000000000000000756551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.773{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local58403- 354300x8000000000000000756550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.771{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local50382- 354300x8000000000000000756549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.767{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57987- 354300x8000000000000000756548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.766{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local49544- 354300x8000000000000000756547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.765{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local59414- 354300x8000000000000000756546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.764{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local64752- 354300x8000000000000000756545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.755{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57810-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49666- 354300x8000000000000000756544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.755{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57810-false10.0.1.14win-dc-ctus-attack-range-801.attackrange.local49666- 10341000x8000000000000000756543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000756542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.771{A78D3DEB-1AE9-634D-9A00-000000008502}48763740C:\Windows\Explorer.EXE{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e77b|C:\Windows\System32\windows.storage.dll+16e491|C:\Windows\System32\windows.storage.dll+16e0de|C:\Windows\System32\windows.storage.dll+16f380|C:\Windows\System32\windows.storage.dll+16de2e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\windows.storage.dll+16654a|C:\Windows\System32\windows.storage.dll+1662a2|C:\Windows\System32\SHELL32.dll+4c93d|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d039|C:\Windows\System32\SHELL32.dll+e6e0e|C:\Windows\System32\SHELL32.dll+18171c|C:\Windows\System32\SHELL32.dll+181473|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000756537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.779{A78D3DEB-1BF3-634D-F600-000000008502}5336D:\calc.exe6.1.7601.17514 (win7sp1_rtm.101119-1850)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"D:\calc.exe" D:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000756536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.661{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A55B09FFD2C76D03433E765E0F25F0F,SHA256=9A756FB43D7CE1E358811A658443C05B44288F2B3DC55E02D3191795123694E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:10.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:10.115{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:12.444{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6BA270EE8C56C8B812BB150DBA3EC3,SHA256=F84AE496FE00251B4B561B484E7887908DC1B77F7946AFF0242EDBFEDBF35EEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e2b00|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+124250|C:\Windows\System32\SHELL32.dll+e2abc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e2a90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48765112C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.902{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B33CF2119E4F0A84D8DD47CDC1198EB,SHA256=60A1513EAA0C9F899346D348057638795EF6579AB94142D9B8066EC184BA5558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000756685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:11.318{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000756684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.512{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308F9C65E7B4A2D97094A3CB0E921D5D,SHA256=7DB9E981E601C2058C67AF94A496C1709CBDECEA48B9687D784E80975B6D09A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.369{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000756682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.369{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000756681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.369{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000756680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000756679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000756678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.367{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000756677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.366{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0611578F6D688EB869FA18339B901C85,SHA256=E8CF92D993A3A6BB97D0D47DC60880D9CAFE60BC4C633DAA1875AA1D64683F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000756676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.221{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DB747AEA2E6FDD3D32FEFA841684CE,SHA256=639AF4EF0E0D30D0F9B58F6422B7496F9E936BBFE74ACF68AC183E09F6502CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.855{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97590F329BAD0F1F47B69F4B506F45F1,SHA256=0ED41D0FB82DF1E40ED69B55EFE442107A265CF547BCC4A8A602FEC0729210AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:13.541{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8A2E5940C270BEBC5B316A83EE23EE,SHA256=2973BDBCC1C61D1DD8910AAB2D547D7265DB3A7CDA24DCE10058CF5895A583DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000756755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.271{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DD75D68451164F222106619AC9D154,SHA256=119B92B95B434531C799F29AE6566AB75E97CF20A005DA26BFBAAD43489914C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000756696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500_Classes\Local Settings\MuiCache\161\52C64B7E\LanguageListBinary Data 13241300x8000000000000000756695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000756694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000756693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48764512C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e13bf|C:\Windows\System32\SHELL32.dll+e3185|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48764512C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e309e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:12.996{A78D3DEB-1AE9-634D-9A00-000000008502}48764512C:\Windows\Explorer.EXE{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e1614|C:\Windows\System32\SHELL32.dll+e3067|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beef|C:\Windows\System32\windows.storage.dll+13ac6f|C:\Windows\System32\windows.storage.dll+13918f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:14.644{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4463BA4DC46D19478BCD456BD911772C,SHA256=7FD45699CD7076ACEFA51715C3DA37AE6B5156080538981CE2F295760504BFDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:13.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:15.735{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D09363AC7A1C4889545589518C475D,SHA256=142B81B48EB974ABD41D1175BD5F59A1755B0FA148BF423EDC92D532896CF5C4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000756933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:15.997{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000756932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:15.997{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{923QQ477-5846-686O-N659-0SPPQ73851N8}Binary Data 10341000x8000000000000000756931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.314{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBFD5005374333E2E180865605D31C4,SHA256=1C9D9347EB9D7307C223CDEAD238C6A9F4BDF7F86F9E4EE53D8A8FE34416269E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:15.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:14.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:16.977{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:16.930{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64313904A57BA03CD216E9D452BCFAC2,SHA256=6D499DC1500C3CD1E96E2FBDF3A06E07C0FFACFA9D3B1F8CD7CA26C645221387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000756992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:16.340{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348D7428447E63E2A431FF1BCA7AB5F1,SHA256=EDD63670E638C00457E996E1A971A483B422CBCDF21EB000D2BF6ECCE6C66EBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.992{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.991{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000756993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.864{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5EE216A2D77EE95C8581E8F0771E8A,SHA256=8C8DE92BB0AEBFF7456CD46BCB8840B344489626D285ECCD0F61F84048665339,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:16.048{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000757100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.995{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.994{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.993{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000757052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:17.319{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000519388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:16.961{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000519387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:18.007{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE0E918E4365508D7DD5FF268535589,SHA256=9D35974D71170A022B22FB184BA43A03286C80AD8E8CC78894534EBB89ECC5BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.390{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6E683D5159E8797A470F358114FA85,SHA256=A2C3A70E537A9971953D3F62EDAF7C9EF5023A3042114A506A555FDB41957386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.374{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-005MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.997{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:18.996{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:19.312{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E38692CC8C697F5AD5317D3099B297,SHA256=24A6B43146CEB21301AD082307C6790D6E72BCB5F8317ADA4BC6336323A60CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.683{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.680{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.677{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.672{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.671{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.668{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.667{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.664{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.663{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.660{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.657{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.654{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.648{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.633{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.629{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.617{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.613{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.593{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.562{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.551{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.542{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.528{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 23542300x8000000000000000519398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.514{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433EAE410C4664F716F4521F83C201C3,SHA256=8AB3E4B1BA103D8C7950C0724184322C4773320935894F5351D4943AED35FBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.514{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.504{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.496{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.481{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.470{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000757176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.412{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801CCBA843F82B058237188851DB160C,SHA256=FC04A4960FB86580F65070D95AE2DC66574B7CA5FC292536997116B84E013397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.374{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:19.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.457{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.435{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000519390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:20.431{5C0BDE06-1A79-634D-1E00-000000008502}19401612C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001EC6C190) 10341000x8000000000000000757315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.990{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.989{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.988{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.987{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.958{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63ED4594612D29401611F02484FACAD7,SHA256=2D62D4519AFD534D1D6BC4B873EB55C286C16B0E5D90A73128BB6B394D5304DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.930{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.925{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.916{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.909{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.908{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.902{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.900{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.898{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.897{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.869{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.851{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.847{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.840{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.832{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.825{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.816{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.810{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.802{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.795{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.763{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.761{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x8000000000000000757232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.465{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.435{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2443791023BD3272A94AE6E25CA359,SHA256=6A5910675F22E35602086BF71D9257CB84957B84B645E59B7F8E19CD93B4236A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:20.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.998{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000757319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:21.636{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57813-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000757318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.234{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.232{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x8000000000000000757316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.095{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E68D2C72797391074D00E69C38D6842,SHA256=F996079EE81A039C886579014749E7E49C3FFFA019A54A583E9214DECE76B0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:22.186{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B655EB330EAFFB6CE0B434FD451B3A0,SHA256=9E665EB84A392F055C5086418860ACA87CEA6B1E26732E496C1EC33526FE0458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:23.239{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E05B5C66BD450324230D06B7A2BDC7,SHA256=37C4825E50F29DD2569D6D38075B7DF463843987BABECA6D5777E552AF6051A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.976{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.975{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.975{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000757392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\b0732111Binary Data 13241300x8000000000000000757391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\8cf4674Binary Data 13241300x8000000000000000757390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\75c709feBinary Data 13241300x8000000000000000757389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\cd7b6e9bBinary Data 13241300x8000000000000000757388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\cf3a4ee7Binary Data 13241300x8000000000000000757387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:23.974{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\faa59ea9Binary Data 10341000x8000000000000000757386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.623{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1BFF-634D-F800-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.622{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.621{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.621{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1BFF-634D-F800-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.620{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1BFF-634D-F800-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.620{A78D3DEB-1BFF-634D-F800-000000008502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000757378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.620{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0FAAB64C2F96FF8363B030A9FBDF7C,SHA256=B28EE3738A560A3B3248B013128142A3A4C486049CD6A3667B7359D0074D8491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:23.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.999{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:21.248{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:24.547{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D2ED5E33484091D3190A119A2EF70A,SHA256=686746E616977D6A5553BE00845273CA07532EDBCA09E64FE80A371AFDDCBAE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000757507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:22.428{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000757506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.832{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.831{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.827{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.826{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.826{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.825{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.823{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.822{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.820{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.810{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.801{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.780{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.774{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.766{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.762{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.760{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.758{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.756{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.752{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.751{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.749{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.749{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.747{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.573{A78D3DEB-1C00-634D-F900-000000008502}52966084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.414{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C00-634D-F900-000000008502}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.411{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.411{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.411{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.411{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.411{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C00-634D-F900-000000008502}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.410{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C00-634D-F900-000000008502}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.410{A78D3DEB-1C00-634D-F900-000000008502}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000757474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.240{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.239{A78D3DEB-1AF5-634D-9E00-000000008502}54845540C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x8000000000000000757472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.218{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.217{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.217{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.216{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.216{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.216{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.216{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.215{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.215{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.214{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x8000000000000000757462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:24.212{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\faa59ea9Binary Data 10341000x8000000000000000757461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.211{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000757460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:10:24.211{A78D3DEB-1BD6-634D-F500-000000008502}2228\{4712CA9A-352B-49EB-AD14-8713509AAB4E}C:\Windows\SysWOW64\explorer.exe 10341000x8000000000000000757459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.204{A78D3DEB-1A7C-634D-1600-000000008502}12362000C:\Windows\system32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.203{A78D3DEB-1A7C-634D-1600-000000008502}12361292C:\Windows\system32\svchost.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.142{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1451BDB335BE62CA6142FDF42778E16,SHA256=E7B2FD5CC202E307A775266FF0607BEDEBC8EE85B08416823F94EB8BD3CA8232,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000757456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:24.077{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\85ecf15fBinary Data 13241300x8000000000000000757455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:24.077{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Eybfvhazm\77862982Binary Data 10341000x8000000000000000757454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.026{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:25.655{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3F20CF6ADDD8AE571AD6212F039AE9,SHA256=3CD1B996D92BF68D57BA21F2BCC0A485051780C5F1943699141D13B30BC60610,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000757589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.185{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57815-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 13241300x8000000000000000757588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:25.248{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e208-0x4af31146) 10341000x8000000000000000757587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000757577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.186{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A46ABB004E3DA60591C5913D6C5012F,SHA256=54E0110FDB31BF2AE9D5B039FB07642E78F723752027DD753616AD02045955B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C01-634D-FA00-000000008502}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F37A3C824EF32A00B09CB8F2FB5F6,SHA256=0458244094CEFD853DE73EA90662EF278266CC2DA6601F43DFD690D7DABA3EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1C01-634D-FA00-000000008502}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C01-634D-FA00-000000008502}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.174{A78D3DEB-1C01-634D-FA00-000000008502}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000757567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.170{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40825FCDB37589562A95271CBBF8FF49,SHA256=4529CB48777AC17E963FBDB58D270A011AA89C02CFC456EF5582F9978E8DD06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.155{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1E62F3FC711ED03B61AA3EF2D8F61702,SHA256=554974BD5DE86AD9030BECD230DF14FBEB219AD5AA211E7AD6F6DE85B2536064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:25.009{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:26.856{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3836671F9EA427B6FB8B35FDBD999F,SHA256=A109E204B0B06F730B180237391C490A0B682EA4358B207A5C4C7B27653DC4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.936{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2E47DB76B0233BEC65553B78895282,SHA256=9D58EE81F3E2164AD4E4950561AB276BA187E3485ACBEACA49801ADE005485B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.910{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.907{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.908{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000757660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:24.185{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57815-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 23542300x8000000000000000757659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.328{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EDF14DE76106B70248139CC69B9E82,SHA256=2E0C95205A48BEEB48BEF9FCA370B540F1BC06A54372E7B83661A52009AC1A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.282{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD98A34E7249197EFC518266068437A,SHA256=33D4211A2AD4159A300C3DD09CC9954EB2B91B195FD3320010EC2CBF33CAD45F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.251{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.251{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.250{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.250{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.250{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.248{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:26.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:27.944{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522B6B927A1F1E5A41E6746B2F2684DC,SHA256=ABEB032D3CBDFDFDA5664B3F8CEE740EB65B3AF30D0D7D7E98279265293243A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.737{A78D3DEB-1C03-634D-FC00-000000008502}34885792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.584{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C03-634D-FC00-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C03-634D-FC00-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C03-634D-FC00-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.582{A78D3DEB-1C03-634D-FC00-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000757750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.352{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256DCBEC039E0EFC6E2578B1377515B1,SHA256=241134C66DC1D7927A0623423481BD7C0AF6337957E6E77BC27B6BCB916DC441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.266{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.264{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.264{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.264{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.264{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.261{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.261{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.261{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.260{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.260{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.078{A78D3DEB-1C02-634D-FB00-000000008502}57365432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.019{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.019{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.019{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.019{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C02-634D-FB00-000000008502}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:27.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.683{A78D3DEB-1C04-634D-FD00-000000008502}57446120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.391{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5310C279E53DA5928FA12458BD7CC86,SHA256=C19BA7948E841C0B1407710CCC4441B70B28544DBA2255216069742F67112120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000757836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.375{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E081D8F6FFFB10D59B39DB633910DADC,SHA256=814D82E8C5B431A5894B9226C100768810AAEFDA6D5070A700D71710F9CCF7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.277{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.276{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.276{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.276{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.276{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.275{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.275{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.274{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.274{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.274{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.253{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C04-634D-FD00-000000008502}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.251{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.251{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.250{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.250{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.250{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C04-634D-FD00-000000008502}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.250{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C04-634D-FD00-000000008502}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.249{A78D3DEB-1C04-634D-FD00-000000008502}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000757817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000757908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:28.226{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000757907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.407{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F480B711978E11ADAD679255A0A35028,SHA256=8B48A02C4000B05256A6AEC5CB661ED55D0A939E2FDD7FC16349C34D24B10836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.287{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.286{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.286{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.286{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.286{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.285{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.285{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.285{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.285{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.284{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.006{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:27.100{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:29.040{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4591B7B7387632A21A1AB6BDE329E4C3,SHA256=8D454F223CA62BD4A90D59931DD559E7D777582AAE2B472FF8BBB7C25E3C776F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.005{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.004{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:29.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000757985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.436{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4280578AE0A782354247D7318AD07EF,SHA256=708AE9C22D06A8DB4058837A12DE4CB54B7C5B098F78066A5CDE197578F18D15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.304{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000757974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C06-634D-FE00-000000008502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:30.115{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D720B0E65EDF72A7C597D095D722F03,SHA256=2EC40F68410D857055076FF5691FEB28CF9A6784F08C7034C114AB23D2577B58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000757969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C06-634D-FE00-000000008502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000757968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.057{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C06-634D-FE00-000000008502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000757967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.058{A78D3DEB-1C06-634D-FE00-000000008502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000757966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:30.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.460{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4838410A396B9B3E5300E3886428396D,SHA256=CE15781938B03E7117FEC2D183A66BC223456C79B4F72E431375704AFD0BA669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.325{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.324{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.324{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.324{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.324{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.323{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.323{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.323{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.322{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.322{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000758044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.129{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=533DD4859CC32B7690925326D94863D3,SHA256=005011A3415B361708F147586F8D6279716090C3B308277AEF58D8EEE0F0222C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:31.195{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781FE2795B6D87D471135C4185E1BF84,SHA256=D7B768E5A12FED7C9B5A07C62E02AB6E34DDA47A7840B4CFD6FD89AFEBEEE23D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:31.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.487{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529265D4F28DBE49524632787AD373A3,SHA256=FDE427FD3B705CE1E5A86F6DCFB2FE05703FC73AF6EF6977B60E2C7ABEDBEB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.485{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8A0059B60A4BDACE42875C2F3BE9FD,SHA256=B0E09DEE06FE4704611028860BA3B1C4E6FC4089E3133FC636D22F5B640636E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.334{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.333{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.333{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.333{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.333{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.332{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.332{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.332{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.332{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.331{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:32.278{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5E2959DF7913C6401428203BEDD466,SHA256=3A857B1B63C255FC54D47750575291DAEC55621DD6AA246CEDC3FE845D46ED56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:32.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.517{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C69D9CAFCDFA4C50AC6684FA231F1B1,SHA256=E34DCB6671DBEA15CF1E516E871FFD7AA27A1E0687C8A1E6B0EDBB395F5DA33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.514{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFDDC2FCE34F2EDD6EEB878197B3518,SHA256=CC9D262E687001D93F6A5AA292AD27AA63BC534F901E536FCCD2A12BB88CCD44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.345{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.344{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.344{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.343{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.343{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.343{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.342{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.342{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.342{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.341{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:33.363{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D098FA268D8A51EB76126653C9FCE50,SHA256=DE5F8CC4708811776A9A26E1318F84EF6E3E995FE26D0776EC2DA872F9D68CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000758266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:33.394{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000758265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.544{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9B6919A29BE77DA929CEF16C009AC,SHA256=0A4ADB62520FE13F48606F3A62AAE9BFA06A389291FD7846E3601993578AE8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.541{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E79B174C1118DB7F6E2CD3A441134C6,SHA256=1C787313337CFC947CF782EAFE9CB485AB0739E98E121199D5E6FEB8F6FD5033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0A-634D-A100-000000008502}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C0A-634D-A100-000000008502}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.963{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0A-634D-A100-000000008502}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.964{5C0BDE06-1C0A-634D-A100-000000008502}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.513{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C4B323F49427BF5F9CC1C689A80EE31,SHA256=DE03685D331D9AF6C7400ADDD63676278D77EE7D1C8CE10F8A6E5C7C2EFE8363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.494{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.494{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.494{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.494{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.493{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.493{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000519448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.473{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4B45D212B793C5609FF7F2D1416198,SHA256=80BB8CC0538A16B3A4CA0DC393B551EFB5070E33C1C447EDF2C2781DBA126C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.356{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.355{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.355{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.353{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.353{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.353{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.003{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.002{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.001{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:34.000{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:32.219{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000519446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.285{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:34.286{5C0BDE06-1C0A-634D-A000-000000008502}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000758336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.630{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC60FF721417EBB1BD66220B823D5CB,SHA256=A0DB2A02F4C2E36C177DD4542B7BA5E3B41114973C00362D5136A81CCAB860EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.577{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70A2FA3C6856640D5BB8A8FDA0EFB8E,SHA256=F9004D2DD55847A214B9FA81227FE35579601920C661345625F3F0C05C0CBF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.746{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9333FDE9129E10D0AA33EFE18A9F5D,SHA256=C05CC69E4486121F427CD549EDB9FED978AE5BB26FE29E00FC765AB8D9AC618F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.368{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:35.007{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.468{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0B-634D-A200-000000008502}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.465{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.464{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C0B-634D-A200-000000008502}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.464{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0B-634D-A200-000000008502}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.464{5C0BDE06-1C0B-634D-A200-000000008502}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.401{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2014C5AB60291CE2368161B69077E039,SHA256=6D8290D8DC72F6FF500FABFBCE1B31E398764A3A3E9CFBBC07EACA7DB320399D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:35.197{5C0BDE06-1C0A-634D-A100-000000008502}976996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.914{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C46D15DD88D64B0AD7262629265C22,SHA256=BB3EE3CF3A43DE9ADC802B1AE00C1C828E43DD490770C8586A8F4972ED487F00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.867{5C0BDE06-1C0C-634D-A400-000000008502}20121804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.672{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E3A355AD372D6B9F35D7B3A08CD2E0,SHA256=9591699D5D6975CED19ACF3A7BA4AB7C6A4A4B20F6CB1F05162A8692D8BCC808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.669{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4F07FCC73D388CD04D2D8D7D217D42,SHA256=FCE98E915C8A6059DFD240C5A239C380553DEFB23E18278E177D475091BED98C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.387{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.386{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.386{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.385{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.385{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.385{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.384{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.384{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.384{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.383{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.011{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:36.010{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0C-634D-A400-000000008502}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C0C-634D-A400-000000008502}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.636{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0C-634D-A400-000000008502}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.637{5C0BDE06-1C0C-634D-A400-000000008502}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000519498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.355{5C0BDE06-1C0C-634D-A300-000000008502}10801240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0C-634D-A300-000000008502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C0C-634D-A300-000000008502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0C-634D-A300-000000008502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:36.137{5C0BDE06-1C0C-634D-A300-000000008502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000758476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.703{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEEF2E66F4C4801993B115183AF95A7,SHA256=97F29B470586EB7F5BED4427B35BE9731BD46A440DF6EED0673F3854405F8DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.698{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F931DAE00C82B11A835C12AC549039,SHA256=A847C6B2F201888A075A7081D05C6912AD121FCE5BB605BE44EAADE29A3D0F9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.644{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0D-634D-A600-000000008502}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.641{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.640{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.640{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C0D-634D-A600-000000008502}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.639{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0D-634D-A600-000000008502}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.639{5C0BDE06-1C0D-634D-A600-000000008502}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000519527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.382{5C0BDE06-1C0D-634D-A500-000000008502}13681912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C0D-634D-A500-000000008502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C0D-634D-A500-000000008502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.148{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C0D-634D-A500-000000008502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.149{5C0BDE06-1C0D-634D-A500-000000008502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000758474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.397{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.396{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.396{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.396{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.396{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.395{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.395{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.395{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.395{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.394{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.013{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:37.012{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.734{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BED5FBFF1DF0FE189261207BF74C42,SHA256=CAA3478AB0CA4655106DB9949A6994E1905E392392F3FFABB8397128BE2365C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.729{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22155A9302F39B9DBC01DD0A61FB398,SHA256=D5C31B5E30932265BA77EDEB614AC75FF58D0D9C84A29F33A0296E0F1A990843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:38.092{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2720D1D4666EAAE3C02E8B4567956E,SHA256=28221BECDCF3E7B3D4817AA083E21F6E4A794F7C29C58270958655716CFD1C8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.409{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.408{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.408{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.408{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.408{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.407{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.407{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:38.014{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000758616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.766{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587E0E5FB8F6D9FC9DEE7F3B9D8F0F48,SHA256=0A50B6E552BA4151009571383ED9F379AD98C0E1ACA58F0E963233C9F23FB26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.756{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948266E9DCA244D14CB6D4A028441DDB,SHA256=FC5A6E1CBC79878E8A62157C47D5832AB59AD48BBA63AAA883663ACBBD68944A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:37.244{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:39.188{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80698C725794DF2ED3A79A6A4477D6D2,SHA256=F076FD2B569271190685A3C595AEEE4C75FCB9F604C6BDF45E68B0541A5A1A0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.418{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.418{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.417{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.417{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.417{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.416{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.416{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.416{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.416{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.415{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.018{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.017{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.016{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.015{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:39.032{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7C1A7266A7EF4EB66A79A6DFC649C31,SHA256=27B54B363BC63BBBAF4C7AB53D7BB0453B2AA90657BECD433F084F5BFB6FD35A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000758688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:39.352{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000758687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.836{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDF1A73CC966559665877EE3AD2B21C,SHA256=B5E3D60373CEAFA531075046CD938B2953A1F7933C205FC0E6EC63A10E6735E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.822{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6764AC9211FB03EAB3BFB3D1D965ED3,SHA256=3A76F8AAE8DC0440CA83EA71400314027FAA4002CCD3EAC2DDF2FEE8B0B710CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.796{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.792{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.788{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.776{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.772{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.768{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.765{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.761{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.760{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.756{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.748{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.745{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.731{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.707{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.699{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.682{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.676{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.637{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.586{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.568{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.556{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.539{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.517{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.507{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.494{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.478{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.467{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.452{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.438{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.431{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 23542300x8000000000000000519545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:40.275{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4E750AC7F78A83D39343D69B97A0BC,SHA256=2F8BE5FEB59C7936FD3CE4A14230826B0D99B01868799A587703BAEDE5D553E8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000758685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:10:40.521{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE\DRIVERS 10341000x8000000000000000758684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.427{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:40.028{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:41.451{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A322F14006FC7479384192D7447A62,SHA256=E26139729D53D42C99975588CC0569603943E1D051C039F79788B571710EC049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.930{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.923{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.918{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.911{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.904{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.901{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.900{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.898{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000758772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.873{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED686154368039BEB23F625C4393F56,SHA256=99D23C33BA1B28D9E84154046EBF75FE37A9C467EA4058480B5E2702EC6594F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.869{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000758770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.865{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CECDB49494D7FBE8087B99AAB1EEDC,SHA256=B142048A01BAB9BEC5FA78401EBE656AC30EF8A0DEA1660C541B41F96D44A5D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.847{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.834{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.826{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.820{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.811{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.804{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.796{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.789{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.758{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.755{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000758757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.446{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.445{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.445{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.445{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.445{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.444{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.444{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.444{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.443{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.443{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x8000000000000000758747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:41.245{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e208-0x547bf395) 10341000x8000000000000000758746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:41.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:42.533{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0B7FED6FFF8E7A2DD998EF2DB0C208,SHA256=37F12064DE904A989092F148EAE8F746EF27F5801ED36C5D585A7B904BFB80C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.457{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.457{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.456{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.456{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.456{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.455{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.455{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.455{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.455{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.454{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.239{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.237{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000758842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.141{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE5CC71346CF069BCD152E1BEE1D34F,SHA256=17E836ED3D0EC3FAF3361C49520E79833941EA9252486648DAAC1066B0B5D2D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.040{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:42.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:43.614{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA8113685F868EC089B143AD0EDA1C3,SHA256=CA0A8DF962B8841E31403D817C022C45D77765C94E618DA888D20F6E10B8C646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.685{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AF533BACC9E07712C6DEF563A8ADB0,SHA256=139E105CF114EA7DF911F63FE86971645EC1A52419C5D23576628D1BACD75201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.468{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.467{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.467{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.466{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.466{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.466{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.465{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.465{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.465{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.464{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000758913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.163{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE195EE558734E8A9EDFB883ADED1A3A,SHA256=9F001DDE05100D862BE757C84B4F6D3C9A6D1ACDEEFA74BADEBA57FB00A02621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:43.041{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:44.814{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A8AC7EA5A909DC4051C4ED4F5C216E,SHA256=BEEA01B1A41495000561190D89E1A1033D61EE739D7A3B6DC26D550EF91FA043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.859{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.858{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.854{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.853{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.853{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.852{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.851{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.850{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.847{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.838{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.831{A78D3DEB-1AF5-634D-9E00-000000008502}54845624C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129103D0) 10341000x8000000000000000759007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.783{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.777{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.770{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.766{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.764{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.762{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.760{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000759000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.757{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.756{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.754{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.753{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.751{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.477{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.477{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.477{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.477{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.476{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.476{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.476{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.476{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.475{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000758985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.241{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000758984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.240{A78D3DEB-1AF5-634D-9E00-000000008502}54845508C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000758983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.207{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA12E77C19EBA91CBC5D100521AD0F3,SHA256=01C6565C2E2A87BCE2BC854E253E69E8EB028AA6E5BC6B4B5C3EEB4FBB127CEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000758982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:43.245{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49777-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000758948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:44.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:45.891{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F7FD9582D21C48A589649169B13A8D,SHA256=CA6EF36EDF1A28DC00ADB95E5DE19117FCE4473E16B90DA6B7E8986F0546D3E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.949{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.947{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.911{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.911{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.911{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.910{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.910{A78D3DEB-1AE6-634D-8900-000000008502}19801628C:\Windows\system32\csrss.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000759116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.910{A78D3DEB-1BF3-634D-F700-000000008502}23321352C:\Windows\SysWOW64\regsvr32.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|D:\7533.dll+c020(wow64)|D:\7533.dll+db3b(wow64)|D:\7533.dll+6319(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000759115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.910{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\SysWOW64\explorer.exeD:\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=1A3B0FF3E223494347622890CB313A50,SHA256=D715B4B742913367F54A47C3747AA312C7B938B56BD3A24E5E33E1E91FA03937,IMPHASH=027A05A63341529EA0932E72FEFFFCF0{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe 7533.dll 10341000x8000000000000000759114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.909{A78D3DEB-1A7C-634D-1000-000000008502}84752C:\Windows\System32\svchost.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.491{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.490{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.489{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.489{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.488{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.488{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.488{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.487{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.487{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.487{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.487{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x8000000000000000759102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:45.420{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 23542300x8000000000000000759101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.242{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0279CF340DA104F10584F31E7C0C8CA,SHA256=994DC8AA84D8DB29277C9EC255DCB6B02605D684EA7BEB5F22966411AE6E06FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.237{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E8517E76041B9A9C3EB860FEBF0F8D,SHA256=48B49822F63F1BCE44E73C6841110FACCC76161EE6E8007E82F337ECBA953AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.179{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.178{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000759097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:45.166{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{66FDDC8E-FF3B-4930-8CC6-F969C5CFDD5E}\DynamicInfoBinary Data 13241300x8000000000000000759096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:45.164{A78D3DEB-1C15-634D-FF00-000000008502}672C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastScheduledRetryTime2022-10-17 09:10:45 10341000x8000000000000000759095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.164{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.164{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.161{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.161{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.153{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.146{A78D3DEB-1AE6-634D-8900-000000008502}19803048C:\Windows\system32\csrss.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000759089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.144{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.144{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.143{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.143{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.143{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000759084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.143{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000759083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.143{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{A78D3DEB-1AE7-634D-5DC8-0B0000000000}0xbc85d2HighMD5=FAED69010377AF73D19BF070833DA674,SHA256=094990F2727BAAFC51D74571EA32C18CEFCFB6C66B80EB91F3952C007CE9FC31,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000759082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:45.123{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{66FDDC8E-FF3B-4930-8CC6-F969C5CFDD5E}\DynamicInfoBinary Data 10341000x8000000000000000759081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.123{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.123{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.122{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.122{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.119{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BF3-634D-F700-000000008502}2332C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.032{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.031{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.030{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.029{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.502{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.501{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.500{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.500{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.500{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.500{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.499{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.499{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.499{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.498{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.498{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.276{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEDD31863657ED3B425B4D1CB913A16,SHA256=65DC5A83E8770FD8AF9E782A1620F0ACB25B4AD6C01C4CD3F6ABFF7CFAFB084E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.271{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B42850982D29AF40CE812B0DC43BEAD,SHA256=E992FB4B9108E7CD4E58B168485899E322F0457C8181594C4FCA8B5E10037E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.264{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8ACFC0311D4DE0DC887652C63889F4,SHA256=64AF757D56C803234F52A459F8BD9375727F7B112C988F40D335097210C432A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.262{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5B893E56EC73A2B20430065EB34F16,SHA256=9A5F2F3DA511367EE1B85FF5564359271BEC265ECE9449BBDE9C8FDB18611F4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+5759c|C:\Windows\system32\taskmgr.exe+3a9ba|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.043{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.042{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.039{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1de5f|C:\Windows\system32\taskmgr.exe+1d350|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.039{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.038{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:46.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000759294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:47.960{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exeHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=7D8772 calc.exeBinary Data 10341000x8000000000000000759293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.513{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.513{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.512{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.512{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.512{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.512{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.511{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.511{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.511{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.510{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.510{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.316{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215F936C3921DDA0573A22B50A2D3F1D,SHA256=964C6EC4C4B6B4E8F8B748CC11E6D72FC459CDCDC1FFBC326B01A07A073F099A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:47.079{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C96AFF8D7045F0CEBE64460C1FD47B6,SHA256=4B5701BEB56A4B0F0AF7A94165D62C0D7A4B00D5DCE123D13D8A35444EA15276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.302{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC748ED90EFC7B986E47A7948C6A347,SHA256=7895EE11E28760C0805AA470DD127F32D69C5E9BCF763189435CAC46916D56C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.036{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.035{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.034{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:47.033{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000759221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:45.266{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57819-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:48.263{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21183564302A44D264614EB67D53E3AA,SHA256=8A0FCD62A95302DF43E4034EB1D1871972E2117FEF2592A987EFD655B383E427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.489{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC150D4B5A2C750DC736DE50BF291E8,SHA256=8ED92F2A95F8B95FC9713B0F24CF07EAD2148E7B20E6061B6990BB97DB51F226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.348{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5BE93895D33FEFEB72B45D4756B2C6,SHA256=994C9D30CFDC3DBCFFC30063C12A2172A08A8BA4E9B2DC70A0FCDCD4E578D63D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:48.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:49.455{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA398EFC2FBF845CADFF241EEB6EC3AA,SHA256=6B0BF2083BDCD2764F3328C5375A36C61B280BFB17FAD05A1FB9E9D22585FF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.712{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165E26D0EBFA60F3276DC7CD56736081,SHA256=5F1681BCA71B922D330350B9756A52CFA0B1A3BBD4AB774A7EDFADB01BC76691,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000759537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.614{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids\CompressedFolderBinary Data 13241300x8000000000000000759536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.613{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xsl\OpenWithProgids\xslfileBinary Data 13241300x8000000000000000759535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.613{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithProgids\xmlfileBinary Data 13241300x8000000000000000759534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.613{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WVX\OpenWithProgids\WMP11.AssocFile.WVXBinary Data 13241300x8000000000000000759533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.612{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\OpenWithProgids\WMP11.AssocFile.WPLBinary Data 13241300x8000000000000000759532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.612{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WMX\OpenWithProgids\WMP11.AssocFile.ASXBinary Data 13241300x8000000000000000759531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.612{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithProgids\WMP11.AssocFile.WMVBinary Data 13241300x8000000000000000759530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.612{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\OpenWithProgids\wmffileBinary Data 13241300x8000000000000000759529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.612{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithProgids\WMP11.AssocFile.WMABinary Data 13241300x8000000000000000759528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.611{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithProgids\WMP11.AssocFile.ASFBinary Data 13241300x8000000000000000759527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.611{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\OpenWithProgids\wdpfileBinary Data 13241300x8000000000000000759526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.611{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WAX\OpenWithProgids\WMP11.AssocFile.WAXBinary Data 13241300x8000000000000000759525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.611{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids\WMP11.AssocFile.WAVBinary Data 13241300x8000000000000000759524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.610{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x8000000000000000759523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.610{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithProgids\WMP11.AssocFile.TTSBinary Data 13241300x8000000000000000759522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.610{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\OpenWithProgids\ttffileBinary Data 13241300x8000000000000000759521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.609{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\OpenWithProgids\ttcfileBinary Data 13241300x8000000000000000759520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.609{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithProgids\WMP11.AssocFile.TTSBinary Data 13241300x8000000000000000759519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.609{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithProgids\TIFImage.DocumentBinary Data 13241300x8000000000000000759518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.609{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithProgids\TIFImage.DocumentBinary Data 13241300x8000000000000000759517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.608{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sys\OpenWithProgids\sysfileBinary Data 13241300x8000000000000000759516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.607{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SND\OpenWithProgids\WMP11.AssocFile.AUBinary Data 13241300x8000000000000000759515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.607{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids\shtmlfileBinary Data 13241300x8000000000000000759514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.607{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.search-ms\OpenWithProgids\SearchFolderBinary Data 13241300x8000000000000000759513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.607{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scf\OpenWithProgids\SHCmdFileBinary Data 13241300x8000000000000000759512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.606{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids\rtffileBinary Data 13241300x8000000000000000759511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.606{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.RMI\OpenWithProgids\WMP11.AssocFile.MIDIBinary Data 13241300x8000000000000000759510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.606{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\OpenWithProgids\rlefileBinary Data 13241300x8000000000000000759509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.604{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pssc\OpenWithProgids\Microsoft.PowerShellSessionConfiguration.1Binary Data 13241300x8000000000000000759508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.603{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ps1xml\OpenWithProgids\Microsoft.PowerShellXMLData.1Binary Data 13241300x8000000000000000759507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.603{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids\pngfileBinary Data 13241300x8000000000000000759506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.601{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.otf\OpenWithProgids\otffileBinary Data 13241300x8000000000000000759505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.601{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.odt\OpenWithProgids\odtfileBinary Data 13241300x8000000000000000759504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.600{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ocx\OpenWithProgids\ocxfileBinary Data 13241300x8000000000000000759503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.599{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\OpenWithProgids\WMP11.AssocFile.M2TSBinary Data 13241300x8000000000000000759502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.599{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.599{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.599{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.598{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MPE\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.598{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.598{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\OpenWithProgids\WMP11.AssocFile.MP4Binary Data 13241300x8000000000000000759496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.598{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithProgids\WMP11.AssocFile.MP4Binary Data 13241300x8000000000000000759495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithProgids\WMP11.AssocFile.MP3Binary Data 13241300x8000000000000000759494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP2V\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP2\OpenWithProgids\WMP11.AssocFile.MP3Binary Data 13241300x8000000000000000759492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\OpenWithProgids\WMP11.AssocFile.MOVBinary Data 13241300x8000000000000000759491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\OpenWithProgids\WMP11.AssocFile.MKVBinary Data 13241300x8000000000000000759489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MKA\OpenWithProgids\WMP11.AssocFile.MKABinary Data 13241300x8000000000000000759488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.597{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MK3D\OpenWithProgids\WMP11.AssocFile.MK3DBinary Data 13241300x8000000000000000759487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.596{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MIDI\OpenWithProgids\WMP11.AssocFile.MIDIBinary Data 13241300x8000000000000000759486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.596{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MID\OpenWithProgids\WMP11.AssocFile.MIDIBinary Data 13241300x8000000000000000759485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.596{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids\mhtmlfileBinary Data 13241300x8000000000000000759484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.593{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids\mhtmlfileBinary Data 13241300x8000000000000000759483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.593{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\OpenWithProgids\WMP11.AssocFile.MP4Binary Data 13241300x8000000000000000759482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.593{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithProgids\WMP11.AssocFile.M4ABinary Data 13241300x8000000000000000759481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithProgids\WMP11.AssocFile.m3uBinary Data 13241300x8000000000000000759480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\OpenWithProgids\WMP11.AssocFile.M2TSBinary Data 13241300x8000000000000000759478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\OpenWithProgids\WMP11.AssocFile.M2TSBinary Data 13241300x8000000000000000759477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M1V\OpenWithProgids\WMP11.AssocFile.MPEGBinary Data 13241300x8000000000000000759476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.592{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids\lnkfileBinary Data 13241300x8000000000000000759475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.591{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr\OpenWithProgids\wdpfileBinary Data 13241300x8000000000000000759474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.591{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids\jpegfileBinary Data 13241300x8000000000000000759473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.591{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithProgids\jpegfileBinary Data 13241300x8000000000000000759472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.591{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithProgids\jpegfileBinary Data 13241300x8000000000000000759471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.590{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithProgids\pjpegfileBinary Data 13241300x8000000000000000759470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.590{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithProgids\inifileBinary Data 13241300x8000000000000000759469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.589{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithProgids\icofileBinary Data 13241300x8000000000000000759468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.588{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids\htmlfileBinary Data 13241300x8000000000000000759467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.588{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids\htmlfileBinary Data 13241300x8000000000000000759466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.587{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithProgids\giffileBinary Data 13241300x8000000000000000759465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.587{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fon\OpenWithProgids\fonfileBinary Data 13241300x8000000000000000759464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.587{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\OpenWithProgids\WMP11.AssocFile.FLACBinary Data 13241300x8000000000000000759463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.586{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 13241300x8000000000000000759462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.586{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\OpenWithProgids\emffileBinary Data 13241300x8000000000000000759461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.585{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\docxfileBinary Data 13241300x8000000000000000759460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.585{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids\dllfileBinary Data 13241300x8000000000000000759459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.585{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids\Paint.PictureBinary Data 13241300x8000000000000000759458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.584{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dds\OpenWithProgids\ddsfileBinary Data 13241300x8000000000000000759457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.584{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.css\OpenWithProgids\CSSfileBinary Data 13241300x8000000000000000759456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.583{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.contact\OpenWithProgids\contact_wab_auto_fileBinary Data 13241300x8000000000000000759455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.583{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdxml\OpenWithProgids\Microsoft.PowerShellCmdletDefinitionXML.1Binary Data 13241300x8000000000000000759454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.582{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab\OpenWithProgids\CABFolderBinary Data 13241300x8000000000000000759453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.582{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids\Paint.PictureBinary Data 13241300x8000000000000000759452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.582{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithProgids\WMP11.AssocFile.AVIBinary Data 13241300x8000000000000000759451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.582{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithProgids\WMP11.AssocFile.AUBinary Data 13241300x8000000000000000759450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.582{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithProgids\WMP11.AssocFile.ASXBinary Data 13241300x8000000000000000759449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.581{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithProgids\WMP11.AssocFile.ASFBinary Data 13241300x8000000000000000759448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AIFF\OpenWithProgids\WMP11.AssocFile.AIFFBinary Data 13241300x8000000000000000759447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AIFC\OpenWithProgids\WMP11.AssocFile.AIFFBinary Data 13241300x8000000000000000759446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AIF\OpenWithProgids\WMP11.AssocFile.AIFFBinary Data 13241300x8000000000000000759445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adts\OpenWithProgids\WMP11.AssocFile.ADTSBinary Data 13241300x8000000000000000759444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adt\OpenWithProgids\WMP11.AssocFile.ADTSBinary Data 13241300x8000000000000000759443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.580{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\OpenWithProgids\WMP11.AssocFile.ADTSBinary Data 13241300x8000000000000000759442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.579{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithProgids\WMP11.AssocFile.3GPBinary Data 13241300x8000000000000000759441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.579{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\OpenWithProgids\WMP11.AssocFile.3G2Binary Data 13241300x8000000000000000759440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.579{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\OpenWithProgids\WMP11.AssocFile.3GPBinary Data 13241300x8000000000000000759439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:10:49.579{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithProgids\WMP11.AssocFile.3G2Binary Data 23542300x8000000000000000759438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.566{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F9ED5DD97A629C004C8726CE774953,SHA256=EF77A68E50B651174233EC45EABF3CF0E032D60030063A162823F9C7F264753B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.542{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.542{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.541{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.541{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.541{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.541{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.540{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.539{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.539{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.539{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.538{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.175{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC64BED7C6F27DA7AE11819E02092636,SHA256=2DA88F083D086AB43430DF43840F29377299F75AA55EC5DCB85D40325263FDA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.050{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.049{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:49.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:49.174{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49778-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:50.657{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A3F3519B9A484C1871C8E388F9BEE8,SHA256=81C5CDDD63F52154E1D22F778DE6A17DDFB0387695588819BC79E2BEC8FE417E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.633{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2F3AE174769FB68BD52B493F854FBE,SHA256=E9A6F8178E7D76E2B62687F20DB6F78B80325181FF671F10B8722EC2C160235B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.560{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.559{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.559{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.559{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.559{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.557{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.557{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.235{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E41F8F0651DEAD1B4498726617F2FBE,SHA256=1ECA05FBAE05E7C668AD8BFAD2C35FF5E63F3D9AF277A6A655C1E6067B28A335,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0001-000000008502}4796C:\Windows\System32\InstallAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:51.960{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B05D7BD2EA654256098217F1B6E74E,SHA256=28F9A4B93257C91250F3715324E43226B658811019035E98AA4085665239109D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.665{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1A68873D65B3F1DDE39FD01C2941BF,SHA256=428782013863C0CD157C104EF23378A2DEBA39016854671C2D9352BD1CBD4D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.576{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.575{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.575{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.575{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.574{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.574{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.573{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.572{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.571{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.278{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E093E468F493BB565A206D077079084,SHA256=B49AD464CE505AFAB8D962CB7ECAE79A57F33D3FB018906AA6AEA98B2403DAA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.048{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.047{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.046{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.045{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:51.044{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000759757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.604{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B536E2FAB1B73A721D6860CF4051812B,SHA256=6C3055807CC2A38DCE22009D454E91CB7C2F89C6BEE844C4F7475EB3FB50B287,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.588{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.587{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.587{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.587{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.587{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.586{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.586{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.586{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.585{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.585{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.494{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=64B9D4C21378C82519F44387691E85E4,SHA256=3C0A7AA613C10A1592447D860E1DCB2731255D033C179ED0D62366EC1C759758,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000759744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000759743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.402{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000759742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000759741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000759740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.400{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 23542300x8000000000000000759739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.320{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224385E44E9B50C6A84D6DEAD1E60084,SHA256=0EB9F165942A561003FC262F4DFA49CC1FF7948D6633434C2440F555862679E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.055{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.054{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.053{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:52.053{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000759680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:50.340{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000759827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.677{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35692E300E9F7CFF85B21097CBFFDE9F,SHA256=469E3362A8F77F641793249EA319B2C11B3A6EB06A9CE1ADC5F627EF448416EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:53.155{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=545BF7785508B494C80F6D7E1D41521C,SHA256=C20EED5CBC0E389548C6AFB3C133FF5BAC680B5C2DE1F08C6C178627A73FDAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:53.046{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816343918CD0F01F08CDA740C48DA1FC,SHA256=5A990E553BA1E911EB9DF0F457F3C7EC1C03CBAE6939770C132085076093474E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.146{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284AF27B30E242F2D0816F22DEFB16E4,SHA256=AC5ACB577CF42C8FE9BFF067BC1D1BBD246431A959551D6820EA3587DCB83A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.062{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.061{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.061{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.061{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.061{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.060{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.059{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.058{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.057{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:53.056{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000759896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.888{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27A0AF657B36D506A3BC6FECFCEFF8F,SHA256=E8D13C244E6D861C7BA11C603F11F70DC24424ED204EC3B2FFCDCFD8BF952D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:54.122{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AC8FB0C3303BB747B595BC5D8693A4,SHA256=C7E5FA25DEC67D45D9443F446C491E8F5982D303E6683ABDA73CC19B1E8B19BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:54.064{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000759967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.995{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D6A1BB232E460FFCCB903B2336F554,SHA256=DC6E96A1D27AAA1AD2D0E480CFCF47BC776848AD3AC2CF4EF4576C22B11ED40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:55.315{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31E90814D2CC64EB0B0E047B055E49A,SHA256=15ACB05CCC613D4D5036323C4E7FC40662599362409FB38ACC88FE4E21B39C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000759966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.850{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75692D860E595FACD8EA9F163E9E0396,SHA256=1CFD9C06C4E65389953C71FF5C4E4041A882664FEEE5C838D79A6576BCD1B705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000759956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.631{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000759955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.381{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=48D8CE6A4CA0CDC01AFE759BC8AF052E,SHA256=4E4D419EEC9972E17B67F46A6DC8ED063DA7E25AF1D490A9C8D80DE8A8DFCCF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.074{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.072{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.070{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.069{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:55.068{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:56.408{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724980BB22AF260B37ADC16B44A4E4E4,SHA256=E2FBF918DA314EBCE474E93C75D82F69293A07A2BDC36D92C14BC41086F03783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000759969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9550873832F2D6FF68EA21FB4C63EC57,SHA256=B7634AE344B6F4567877D16837BA0CBE03DFD55B50F8E609EF5A2DE4472DC38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000759968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.073{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:57.498{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96216F6E171DB5EEB99359DD155D21,SHA256=506441E9F004BD0F7CE00A40C606190827B36775475E0E2F96AE38104AC0737F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000760109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:56.312{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000760108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.663{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x8000000000000000760098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteKey2022-10-17 09:10:57.288{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\TiRunning 10341000x8000000000000000760097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.288{A78D3DEB-1B2D-634D-C200-000000008502}59924936C:\Windows\servicing\TrustedInstaller.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+52f08|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000760096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.121{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E45058757482067F6ED5E805C6E005,SHA256=32B5888DE759F524B87803A4BA38C10D039037AB0A400C9EE7CA102717732358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.121{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6317AD5B14A5A13AC305A96B0E8788,SHA256=664459AF90C6CEE3BFAEB62D26A2A26BAF7953876ED00AFC7329EE10E16703AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C300-000000008502}4216C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B2D-634D-C200-000000008502}5992C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:57.088{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:55.159{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:58.793{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE67A782576978935F4947EF97F25BE,SHA256=C0A3C004EF5070AA1EA5C6EC4EE29CAE3C1C12C573FFDF15F88683E3928DE82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.959{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBACEB0C7A2BC8225C67621163731541,SHA256=469623D7955A056A72F30435B303C03FE60BFCE442A1299C25FDCCFBA5BBA105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.685{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.326{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=81CDC232F3577FC154D963792FB97C13,SHA256=3FEA68F07449E292E95172801FD39B90089AD54B5CBDA887BF41908F77D1DC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.263{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62A861C6345C054F15FA97805236C21,SHA256=769ACA587D50324093CC01A1A5869077A58A324BE94E9BB47E1DE473EFB218EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.263{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0897EE9ACED1952E493BC90A3C2389,SHA256=D20486AC38F18D356C18BD8010902CF22F31DACE5EB396F3B8F97C0FDF73AC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:58.110{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:10:59.884{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D8613EBC169BD64765C0DD188B7924,SHA256=033CC77C1CF0B96D21250A1BD420A3AD981177DA337E28C0D90FF84BC868D744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.723{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.707{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.161{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1766705C8156460330E216748431BF,SHA256=F9E20BD8588745707A02936B505C62A48A2F1CF6E21003D3FC0B12D52DA7738D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.117{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.117{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.117{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.117{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.116{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.115{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.114{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:10:59.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.735{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.329{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A6D9DAAB152B2AD4C194E0D1F7A2EC,SHA256=B28FC469CFC44D998A211B7F0007EA34B6CE86E2BC0F5E3D71EE5622E7D9BB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.313{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81408E9F582AE013E46B9070E2E5F1E3,SHA256=000C55590074483D26B440DC8FC5E9F9A8B38BB2BD1D234F389B0CC3916A8DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.720{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.716{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.714{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.710{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.709{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.706{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.705{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.703{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.702{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.698{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.696{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.694{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.690{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.677{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.675{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.666{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.663{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.642{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.593{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.575{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.565{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.552{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.539{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.525{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.507{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.479{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.459{5C0BDE06-1A79-634D-1E00-000000008502}19402904C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38F10) 10341000x8000000000000000519599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.446{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.441{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000519597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:00.434{5C0BDE06-1A79-634D-1E00-000000008502}19403968C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C98190) 10341000x8000000000000000760302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF8-634D-A400-000000008502}5840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:00.113{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.969{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.966{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.961{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.957{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.952{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.944{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.936{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.931{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.929{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.895{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.888{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.875{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.870{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.862{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.853{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.846{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.835{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.828{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.820{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.813{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.768{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.764{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.761{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.760{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.760{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.759{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.759{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.759{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.759{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.759{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.758{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.758{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.448{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35141BEB1A77F5AEBAC0D5D6C276129A,SHA256=F935C2A8C35984B2705AFF96130FAE9B1776AA57CEF3FF7F88FE5B5AEF5A20BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.448{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EEDE9635E900FB63310647CE93DC96,SHA256=3BF0107DE403664EEC7AA124C5BE211227275F7C0634698367A874D4108A2396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:01.432{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04868DAFC91698593CD6D06F5917FCC2,SHA256=FFB013611794DDD5D4A18B8E49A3F11C1FA1B6D52CC5690D9E112E9F334F74C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:01.031{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49780-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:02.463{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EE7B6C3E1966E64B8E3D0DB5D41FCE,SHA256=721F54A91939A85D5B844B5B9A74374F214C344ABBEC9C44867D4DB6000BA290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.778{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.700{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72060ADBCA963B6C20436BF0196417CE,SHA256=CA72422AB3A4177A45B7AD964296EAF10A6CBE9B9243B51CE3A0EC9A2C25EA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.684{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514897094221CC3AC3A0CBE7B232F980,SHA256=E795378F7E448656BD553C2A5ECB2A8B0D87E0F3887A7F0642CFF6622F730A6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.334{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.332{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.124{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.123{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.122{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:02.121{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:03.697{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:03.696{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:03.696{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:03.679{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:03.540{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C03901C93123591D2447B13653967F4,SHA256=17075DF9AA1CFBCAD0F3317460D9588A0776678A08564848FC7FD15689B20582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.995{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000760545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.995{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000760544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.993{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000760543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.993{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000760542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.766{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62A0C7E59B4379F6744835249ADFA20,SHA256=0580A120DD872BD6EBE622EBDA605745B55AD58EC8D8ABD70F3F64B8F6E106A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.317{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEC7E87787759C2F401CBF86F174788,SHA256=637603C71239145208B382F6081D4E8635296AE140F1A623D2FF9BD4BE17F611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000760530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:01.422{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57822-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000760529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:03.134{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:04.744{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7287B0313437C0D1EAE7484791127F,SHA256=7184F65F2A6A4237A6E0F6B8FD519A71B452D3ECDA5170D5450EF83769AA9DA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.987{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.969{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.905{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.903{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.901{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.899{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.894{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.893{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.888{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.887{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.884{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000760619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.861{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E63E3C352EC03BF88784BA1026E026,SHA256=605294C494C500A3C441A3219D9E65F460D89FBF3103035AAC082725CF5A75A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.814{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.370{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.369{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 23542300x8000000000000000760606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.228{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58B83D6170FFAD8446D67FDFDC7730E,SHA256=B5F5AEF2C588C6BCBCA94FF8D3D5B5C226EDF5C7518DE44BB8FBBEEBFA93B3C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.167{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.167{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.167{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.152{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.151{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.150{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.149{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.147{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:04.147{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000760707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.983{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671445256759D75B691EE2DA6CEBA7D5,SHA256=F151EC653E76A17A0598E7D2165ADBF4CE6EA18B91CBDE9035C6A3F1E4BF08B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.834{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:05.259{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-006MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.350{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1071BF51AC843CF18EC9332FA03E40E1,SHA256=FF7E493943E12F2F44AF51D4F106464B183C6FFCFA9C048DC3D78A85FF226CF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.143{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.142{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.141{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.141{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.141{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.141{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.141{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.140{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.139{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.138{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.137{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.136{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.029{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.024{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.011{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.005{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.005{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:05.000{A78D3DEB-1AF5-634D-9E00-000000008502}54845608C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980610) 10341000x8000000000000000760774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.854{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7FC998C921ADD7CFFA5A422E0E3A90,SHA256=8B4B860E3C629B2A061C1AA9C4AB9B421DA9D529999B84418ACD9458B457B6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:06.259{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:06.039{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED73B6DFD80D90D161FBDE57E6B15593,SHA256=14A650FA02C2CDEE6F4A9DAA356312301AEFF357BF01F3B5719DD3434F52E9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.276{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0BCFACF7BD252A5EB8479C70F2CA10,SHA256=7A62FC7D9FFF6D310BAF6EFE62CC716729FBC8083845B8C757AAF066DD1D1A53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:06.166{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000760841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.953{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0268CA762B90ACE13B89054EF7CC4A28,SHA256=17D2DAD25F0FD2568431C7A5E520D2AE89549ED541822432780BDE6D95E7A4EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.875{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:07.133{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B32BCCF82944071FADE389CAD2E33BA,SHA256=566C3917645A281F858757E8BB3F12F7582FEF2F83B6475CA6AD55474A301301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.500{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03408ADCCB19966DB51C3B68423746D,SHA256=71F047DCD881E7E3E8D71132D339AE99C369EE60331BF357484F93BB16AE3D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.172{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000760908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.962{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD098D9F7469C834B24D930924B446A,SHA256=858D0B43DAB2071C6E5170B0F2D62520FDBB9E881A7B33308555A5D5FC4C9969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.908{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.907{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.907{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.907{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.907{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.304{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF15572E4B497B899E355C16B831CC0F,SHA256=46D812BBAD5C91741A96D38C3404AA98BABFE7C822ABCD1E02C0FA7973A2C9DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:07.040{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:08.298{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=61329BB7D79708C9243DB2B4D7882D98,SHA256=56A73BA6CAC2172187C61A98857C36483B830540925B234FD9850F6CBE0DB95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:08.220{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22F591F13CD81AD51B6643D08474AAB,SHA256=2449A18F0D10EE4091B7F6CF7A3922029321050C52C49BAAC883B24392CDE7C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:08.179{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:09.312{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EE874BD28031EBAEB1CDD1351A014A,SHA256=7BCD2867E5BE03F99CA85A0F8597D8FDA717E49340B5411C1841143B9E844086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000760976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.955{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D2C47FF8E3F08D62EAE85AA1855BAD,SHA256=77DCAA378815DBD3C7C9294B8F9322A8B49BA7DC071AF65F5BBA1559F6358751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.940{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000760966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.924{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000760965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.440{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A57ADD90B8513D9C3CD14358951BBF,SHA256=8E0AB9F1CC0D696312C4DE9C7C8A695996B2EEC4B044C3F0F71EDE588C832C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000760964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:09.190{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000760909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:07.260{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:10.624{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EDDA214D7A9C3465132EB992530E12,SHA256=EAB1C671BDA0E0C855580C1B8EE75BB03EE52E19A90DE4E845C6B923F138E758,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.947{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2DA8FAA2BE36D7796416967D000023,SHA256=E18DC86AB8412D03A633C8DEA26AB82F955F276411D24278D0848F7E0A652CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.400{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D321D325DF1541190469198976AB5FD,SHA256=E9AE29390F2CF8268B1F70422BA574B4B83DA2D1F091B5744CA8D58DA0A27D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:10.197{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:11.715{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65378E6D39BDD7B45F17CB5A427BAB7D,SHA256=E2891A331A195A789B64F9D742EC5F190A80E8D5193A965CB6F5D84E3175353D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.973{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.317{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C9EDA731E98EC3EDBF9F7297B8C397,SHA256=73F4D85ACB4A2D2B3945D2D28B7859FB60A8933ABC304DCAA246C5D7187AA564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:11.208{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:12.799{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8935FF60ACAB8B5CD4C9CC3817A251,SHA256=177988FBC0D5BA813E5B97C207D04EBDE96DAE194424E1779A2080512FBCA42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.452{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774627CC1A7F3EB2DD335A6690EE1F9B,SHA256=E4560A8E9A35497E2DD52ADB39360E3F220054219B72320D011268F33485BC1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.217{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.056{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15488EE1A7BA16E04EE37CC434FFF874,SHA256=4ACB6AA5D656DE1ED8727C1B9FD62ECDED5752F70544116D66A8985E63FB7651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:13.989{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C661045D694792E766798CF320E7FD1,SHA256=0DD27D49A4F0AB59064B020E163BDD47105C838CC207DDC935EF2C81D81EC4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.352{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1D964B2D383006ABE655A7F3321065,SHA256=B96273D1F4ED606E1040F541B408D13D32795772186A8B6DF003A164F7ED00A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:12.152{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000761222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.227{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:13.045{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10411ED0DB0BFAA3F66120AE9B785A0,SHA256=68D998655E9932891FCF8C832437D75EF7CEA09D46E266C042FB82A1B92AB8A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.484{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482E4D18083B8CCE1B4DAF5EAE03AE74,SHA256=33570D42721D804D91C30066BE7D2AECC9ADDCD387E10985BBD634579A20417E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000761300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:12.305{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000761299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.237{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.039{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7D6F11C4513F82BDADFDBDB4FD35FE,SHA256=96BA7CC6A05C1BE30DA31ED839DDAA175AB13357B94BA7B6A68BF71258585721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:14.024{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.407{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A1C998D262687038147BAAAD1E1382,SHA256=B4E4E9B47C39827C7B9DE253CEA24BF47D58837971DD9536EF5B5D5F7132592A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:15.086{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7C8A2744C439292B5DFD576640E9AD,SHA256=DCAD3E46552CB7DDB9C0148BFDC09303F55923EB4234308674F6505FF7F965FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.235{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92F0DDEC2897BD81C6E514EB713F26C,SHA256=2FA8A44C9C50E41D196FA1FA52D3271F5D6F81A8330903AB6DACE0938E0CD066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:15.047{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.546{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A898D4FEDEDB6383028DFDBA06B9B1C0,SHA256=BE890660AA0155A0C18FE0723B623E52F1B249CDFE17E7102E9622B1EF8F2FA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:16.181{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07CEEB6FDF298FB1681F690D6F7D75C,SHA256=4B300410F4285780A4768FE2A7765D4727499F014F0BC0F86D3BE4A81920858C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.249{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.158{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55537538A93E8F4C782AD72AEFFF299,SHA256=BCDAB01856687DD13C9BF9C1A1AF23FE64453625B9CE22BCD34727AAE8DBE9DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:16.063{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.325{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF244E7D921CA0FA998076A952F55CAA,SHA256=97F8054A8A8A89D5B8F41D726EDAC4F8EED3B18351929E2AD184C4CF2C3EAB83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:17.267{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4D9A55286C90D7AA748492999C70AC,SHA256=947D49E9AC30459EB8F62BEA42CAC4C12F24857E6C1D420AF703574B2BB1584A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.262{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.157{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2507E51FE8C2EE998F5B5A87AB33E4E,SHA256=034C137ADBBB0C45602887D0128B61780865DDDF4F2CFB60EF3EDB237E77342C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:17.077{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:17.017{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.450{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5AEA58A4B6F2A6E6882AC550936A0F,SHA256=3E279522AFD0B72FEF6B9E7C2EE4C3E6C40E9109B7B26AF97A279CBA6E7EE2DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:17.252{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000519654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:16.991{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49783-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000519653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:18.568{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439EAB28CA2F96FE247E2B0185B0ABF2,SHA256=0B950B44C50C49FBE1D7B405159895E071B480D3F3E2C26B9E08B997A71F0F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.263{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.166{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15BAC0D8F7E0385CF0D13DD8FA45C73,SHA256=792B0E70861869F050C493CA4F5F13FD145BDBF6E2F63747411A0A4E0151A8F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.090{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000761636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.579{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CAC700B2CF0214B3F9569CB76B77CB,SHA256=3AEA48463EF6DC7E180E8BCCD8F8C96F095D727E883F2F01EFCB7C75B0A0AFC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:19.655{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DF027D337DA6F0F549AF39B1304EFD,SHA256=F1B1331C3208578FFFC60616DEACCBCE042A9180A4B72992A817A473EE36DE57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.266{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.169{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D9AD96457EC475A3C6861FBA141399,SHA256=AB4AE72FFF9C0C7047DF14840E8223A59FC2521D2524C9989C4F2E1106A6A6E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.115{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.114{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.114{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.114{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:19.113{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.746{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61E2FA8FD05E6F1075A297647DFEF6B,SHA256=081776207D39AFACBB7A937B5770F598D64D889AD89BABC5D5C957201B022CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.737{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.727{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.720{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.713{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.712{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.706{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.705{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.702{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.701{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.694{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.688{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.681{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.671{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 23542300x8000000000000000761705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.883{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\respondent-20221017090412-006MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.709{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF37EB039388D694B32B8FE7546F62B1,SHA256=9B5A8791B4C67268308B998F1D7A5E0B038781A678E684D8D346E8EB796558E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.274{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.196{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E06A59D797C6279C413D72EEEC0A0A5,SHA256=BABA21AF0BBC095C14CDC91E3B42BED77B7E40B1B998AE5FC90E75CE315E7452,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000761647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:18.317{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000761646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:20.127{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000519673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.647{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.645{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.629{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.625{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.601{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.563{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.549{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.531{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.521{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.510{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.501{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.490{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.476{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.466{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.455{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.440{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 10341000x8000000000000000519657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:20.435{5C0BDE06-1A79-634D-1E00-000000008502}19402896C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C39150) 23542300x8000000000000000519688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:21.716{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EB06CFD4C94FF73E266D8ADC7B3F03,SHA256=3FEAD8017E27FE153673E20C914C9E3229160C4B65EAA5FBA4C88D8FDACAE0A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.991{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.989{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.981{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.976{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.969{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.968{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.962{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.959{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.958{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.951{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.912{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.905{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.892{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.886{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000761783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.882{A78D3DEB-1A89-634D-2E00-000000008502}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fc4d2aef7cfe51c8\channels\health\surveyor-20221017090410-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.876{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.857{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.845{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.832{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.824{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.817{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.758{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.755{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000761773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.478{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78AB26CB11C4B033AA6F813175D5CE89,SHA256=8BE9425BAB3C5E3B2C0F561FBF693089A5E46A8ABDBD0365DB4595EE6EEBAC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.337{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B980CF53811C6873F63777649DF11D,SHA256=7F7CD4B35EF5FE62F0519AAD53954E47B7FA9EED261D5AB8165802B6B39A5D4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.291{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.205{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4292642C4DD509ED1C86F149BC8A2316,SHA256=F75C3BDBD2D02DA755BFAECC78CE72A1C86A4B84A54600E7106E243022700057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.155{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.143{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:22.808{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D62ED5991ADDDB05E32920996FFE726,SHA256=23F68C1A00A933D4973E294D8ADCF27F1360DA726B03E248D190139D737379FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.477{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBA597F35FA4B3AB89489C04958C266,SHA256=BF6697D162881DBA1428CE12198CD2AC6F8D9E68FE32C2E87733EF9600A66F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.462{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9480B3D438A5E0F8ECCAF12874605B6,SHA256=0A66C26F2C895F9B40EF3B089F033EF1AE49EBB36638E4A7948EEF8CEB683A53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.324{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.322{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000761863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.297{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.296{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.295{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.294{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.293{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.168{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.167{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.167{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.167{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.167{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.166{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.166{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.166{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.165{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:22.165{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:23.898{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7617FB86177AC2A1E256EA5824191E2C,SHA256=F23681D3DAC46CE3CA0EBEDA287FFE82AE19FD0E3F46DD66A4A85F1519A235D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000761942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FF9021A36B573161B0429980B14275,SHA256=86456BF2C0A4E5963D0A011D34289FC5C9301FF8423046DDD27F58F00FB380FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C3B-634D-0201-000000008502}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1C3B-634D-0201-000000008502}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000761935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.612{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C3B-634D-0201-000000008502}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000761934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.613{A78D3DEB-1C3B-634D-0201-000000008502}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000761933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.301{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000761878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.226{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D04029EB62BBB4104D68DD5197E563,SHA256=466E9C122F44E61F5FC5B7B965601461C8776033CD2C844C275C45506AFBE6C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:23.175{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.998{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.997{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.997{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.996{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.993{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.982{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.971{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.947{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.941{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.932{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.925{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.922{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.920{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.916{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.915{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.913{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.912{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.910{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000762024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.690{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A0A251DF44D1BD04AD50F2A9D50E411,SHA256=2CB91E4AB6E78B6CF6154B0538C1AE8AE739B83E2835CA3546B1A62CCFD425F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.643{A78D3DEB-1C3C-634D-0301-000000008502}54326096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.565{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A33DD4EF67AF1191E6638EF189454BC4,SHA256=2F51814C2F1AC0842E70EFC7161FC52C39128F208E4F207FE5E1194248D2CFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.405{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C8B40EB5F0AEF0F6B7DDFC04C66BF0,SHA256=0558FF9932DBDBB817F55C3606FBFA06BB7CFB2A0D3D0390753AF8716A6B2251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.397{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C3C-634D-0301-000000008502}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.391{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.391{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1C3C-634D-0301-000000008502}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.391{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C3C-634D-0301-000000008502}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.391{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 154100x8000000000000000762012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.391{A78D3DEB-1C3C-634D-0301-000000008502}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000762011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.389{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000762010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.360{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF902C90408B628B9DDB3A9872BC6474,SHA256=D3D478B6D63DEFEC0549932E3E76024E964990762E0144DFDE0754808EAD0E8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.323{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.322{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.321{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.320{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.320{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.320{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.318{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.318{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.318{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.318{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.318{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000761954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:21.659{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000761953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.226{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511183BBB038FB930F1CBACFF2449703,SHA256=4C900E9F6985130A1F5924B532B839AC1CCBD19A51BCAFD153B23D7CC303B301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000761952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000761943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.188{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000762137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.431{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DAF12FF9225EED85FF82B7C72B3130,SHA256=8DEE501477B61C288B95DF80000BF3B28C7D829F27BCBF65734C46ED17061A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.415{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06A2F3F0C702645DC52E81CCFF40F91,SHA256=CB2001750310A3C2B49F8C9BE63ECBAD129C62D1D4570F20A83CD1FFE1142CB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.338{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.338{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.338{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.337{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.337{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.337{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000762129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.317{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.317{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.317{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.317{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.316{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.315{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:25.084{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE2878E060A0EBE1D6C82E041D25787,SHA256=14B0ACCB42E9108E461010FA32CEFCDE5C8EF84DC6FD7DAE5665E3F9D28E96C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.314{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.313{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.312{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.311{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.222{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.206{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.159{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000762046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.160{A78D3DEB-1C3D-634D-0401-000000008502}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000762045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.003{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:25.002{A78D3DEB-1AF5-634D-9E00-000000008502}54845516C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x8000000000000000762215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C3E-634D-0501-000000008502}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C3E-634D-0501-000000008502}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.896{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C3E-634D-0501-000000008502}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000762208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.897{A78D3DEB-1C3E-634D-0501-000000008502}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000762207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.584{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB40F5124540EC6B77999B8CC0F5F3BB,SHA256=0327418C4774A2913E993DC23FD60D85D7061B34437316F15259F9401617BF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.568{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD34B92EA9A3C0EB58B691B57975ACC,SHA256=D3AFA2D980F0370D8A34AF526680C8F3DDB8864CBC3A343FE5AE76A2325836FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:26.278{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E991D832BDF12C861543FC71A18598,SHA256=C6AFD45162E0F942B5F4C57C09512FB587CA075002FC19F2DBE20346B50D35A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:23.136{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000762194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.334{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000762150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.310{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000762149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.198{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57827-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 354300x8000000000000000762148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:24.198{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local57827-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-801.attackrange.local389ldap 10341000x8000000000000000762147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.235{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.234{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.234{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.234{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.234{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.233{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.232{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:26.232{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:27.257{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953D9E009312F94F5FD2340E93DA21F1,SHA256=EE52591FE59E85F14BF4D0E0A0CD8B8B1F043EECBAB27E604EDD4E199F981966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.773{A78D3DEB-1C3F-634D-0601-000000008502}58285700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.710{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3EF536C3ADABCE525754116FEFBECE,SHA256=E64FCA00D74DB2D210AADCEDF17E6B7FD22C130BE6359429D8ACC03C123DC0FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C3F-634D-0601-000000008502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C3F-634D-0601-000000008502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.586{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C3F-634D-0601-000000008502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000762283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.587{A78D3DEB-1C3F-634D-0601-000000008502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000762282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.371{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647D3CD352D12802375CA3C4227EB2CF,SHA256=2205A89EE6D9747D197E400E5DF6025EE1AE75B04979C8E035D9748AFE0B2DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.257{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.255{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.255{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.253{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.251{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.250{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.250{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.249{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.248{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:27.083{A78D3DEB-1C3E-634D-0501-000000008502}46485332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.538{A78D3DEB-1C40-634D-0701-000000008502}51244336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.417{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41554E65F5112219C60C7CC59AB43BA,SHA256=DA0C8780F23FDED0A731878A8124B39769E61466DAD63C40C4F5FA238DC71D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+3aa00|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\WINSTA.dll+1178|C:\Windows\system32\WINSTA.dll+10b5|C:\Windows\system32\taskmgr.exe+578ec|C:\Windows\system32\taskmgr.exe+3a9e0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+93f5d|C:\Windows\system32\taskmgr.exe+57b30|C:\Windows\system32\taskmgr.exe+3a9c2|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+630ba|C:\Windows\system32\taskmgr.exe+57c94|C:\Windows\system32\taskmgr.exe+3a9af|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+3a966|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:28.339{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F141C8E6E4A12FFF72A4D49B1495E8BF,SHA256=9F0D7D14306155195769083525C7231D0794B86A1A8BDAD9EE851F32E181DDF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.340{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.340{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.339{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44602224C:\Windows\system32\taskmgr.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.302{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.302{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.301{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.301{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.301{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.299{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.299{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.299{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.297{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.295{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.259{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.256{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.256{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.254{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000762293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:28.255{A78D3DEB-1C40-634D-0701-000000008502}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000762445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.565{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A321A79D11E6CD7DE540D98A386D6428,SHA256=AD960492134EDA423AD7B5B759E3E806AA33530A37B06CBD7DBC72BEA9380DF2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000762444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:29.410{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e208-0x7131756f) 10341000x8000000000000000762443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:29.427{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1729F9131F6B599F3F30F71A98238F,SHA256=3F371CB4801FDCE0BE22A99E2E692DF374C2DCD7D5AD43A86BD77ED73563E5D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.338{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.314{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.313{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.313{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.312{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.312{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.312{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.312{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.311{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.311{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.310{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:30.531{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286CB329B956A37FD557ADC13E0BF251,SHA256=0B03AE3892D35D57F5B91851BC301E0AD554F00957A35DDB47351F4151012E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.693{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6B16A65DC94ECEEC916B3B96BB4F92,SHA256=6DF3F433990F3F58BE79B4300C69ADDCD1CF3D2926E4549C30C8403E14AD0092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000762519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:29.327{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000762518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.327{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.326{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.326{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.326{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.326{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.325{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.325{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.325{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.325{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.324{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A8A-634D-3800-000000008502}32563276C:\Windows\system32\conhost.exe{A78D3DEB-1C42-634D-0801-000000008502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1C42-634D-0801-000000008502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1A89-634D-2A00-000000008502}26163324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A78D3DEB-1C42-634D-0801-000000008502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000762446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:30.050{A78D3DEB-1C42-634D-0801-000000008502}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000519697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:28.245{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000762587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.452{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CE55AAC0BF5E8C2EC5E0BF2A6875A5,SHA256=8CB5A799BABA3440657F9E67A8766E75B867558E4725C478962F77ACE2885DD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.342{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:31.611{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6267A183A4D7344D9C2ECD479006982D,SHA256=70C4B06CD081350AA3A900FE9B64A45C2BE1E399B1A7FF8BA0D654871340A37B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.341{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.340{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.339{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.338{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.338{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.338{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.337{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.337{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000762521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:31.174{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15C006949C669E6D76AFE00D26019E7,SHA256=5D9AB03EC3A9C83510FC1FD16CDE80DA15FFC8A86F9FCB9E87B16638E53997E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.562{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2B99697F6768BAA4B5E6110B81254E,SHA256=80FF4E5F952085C2B433DD93793EBD384EDA983A60CB9B265712C9C1FD13F601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.356{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:32.691{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7857D0E51C783397FE0AF8953B3D5ABA,SHA256=7943D00162107A4AE47EA5A7B79347E0A7E9FC98C7CE1019CAAE806639F713A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.354{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.353{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.353{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.352{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.352{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.352{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.352{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:32.343{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.683{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117E03D9385FDE08F988F3053D67D64F,SHA256=C8915DEE4EE91FF29B104863F2C5C54E482DE53B17FA022F34110A9ED1EC31E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.400{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24289D131DD723961BBAD549BD16046,SHA256=15E62B30C624B9A2968E974E5489AED941784AFAD56F3697E9E046FF3D1FF983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:33.774{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D67F19E960181BC15E9730FB9B45AB9,SHA256=7DF0E5CBFFB20C8A94A72318C26543C03859EEF815BA13685DD181C64ED2080D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.381{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.380{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.380{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.380{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.380{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.379{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.379{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.378{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.376{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.374{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.357{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.356{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.356{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.356{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.356{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.356{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:33.344{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.407{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.406{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.405{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.404{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.403{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.402{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.400{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.399{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000762776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.392{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960C18D992B3C44F59A67263C4E627AB,SHA256=2C1EA53F39C730850665FE80E76A0861C28C2F75D15A81C9C885F418AE5C925E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.352{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.986{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46B249409D286399059813C3FC2A8BA,SHA256=2CE2D6CA4E4464652FDAFDEF65D5FE45EDFE810AB77CE168B83885BA79BE4C13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C46-634D-A800-000000008502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C46-634D-A800-000000008502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.970{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C46-634D-A800-000000008502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.971{5C0BDE06-1C46-634D-A800-000000008502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000762738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.349{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:34.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.612{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96D210B41CD2D72E7C49048C772DDF95,SHA256=285EC108383C97F6B81F7EB40C48C1D0704D1BF96D0F1E6AFB9B19A174261257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C46-634D-A700-000000008502}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C46-634D-A700-000000008502}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C46-634D-A700-000000008502}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.303{5C0BDE06-1C46-634D-A700-000000008502}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000762852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.434{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3CE3DC2F0A824624DD3DF56D22262C,SHA256=F2B5292CA66D938CDC28F1B77ADB4E6A6C1831369A1418601D67BB942E9ACD9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.419{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.351{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.350{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.348{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.347{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.346{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.345{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.641{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.641{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.641{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.640{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.640{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.640{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.470{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.471{5C0BDE06-1C47-634D-A900-000000008502}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.423{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9877FA4D961B60252A865218AEEF2AE9,SHA256=AD0556C2834F1F9724D246928DD559D921999593CFA14131CAD282B361D88A0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:35.220{5C0BDE06-1C46-634D-A800-000000008502}39563700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.590{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28ED018B098CA891DA9D445D9E00D2AB,SHA256=9A33FAF99BD6618EA9CE62C709AB90B50E6871F063F47BFD72F4B5CF94F72024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000762918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.574{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEAE9FEE04527F17881F570204C75D6,SHA256=3FD0DD86633B25267E20EB202FC916BC4D4ED988204306D087A5209D984F8A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.442{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.441{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.441{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.440{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.440{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.440{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000519779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C48-634D-AB00-000000008502}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C48-634D-AB00-000000008502}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.826{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C48-634D-AB00-000000008502}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.827{5C0BDE06-1C48-634D-AB00-000000008502}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000519766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.332{5C0BDE06-1C48-634D-AA00-000000008502}26283336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:34.256{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.175{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DD23CEFB8C65AB23411123811CE763,SHA256=AE8DC5037653AB7C52D2758F43973D0964A71F4E5049C70A09F81C9C0629D38B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C48-634D-AA00-000000008502}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C48-634D-AA00-000000008502}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.144{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C48-634D-AA00-000000008502}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:36.145{5C0BDE06-1C48-634D-AA00-000000008502}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000762911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.440{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.439{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.439{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.437{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:36.353{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000762986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.725{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD42797E17C647D4C819A79F8FF53395,SHA256=F453D0CA5D4040EC11BC5071942DD975023A35599E14E4439B3915B06A208AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000762985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:35.305{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000762984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.461{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.460{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.460{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.460{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.460{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.459{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.459{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.459{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.458{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000762975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.454{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000519801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.713{5C0BDE06-1C49-634D-AC00-000000008502}13442760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.628{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.628{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.628{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000519794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.595{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F791A3198106432381C2CA820A26D81,SHA256=CFD710F4649FA5F906FCBBD8AB53EF1AC4670E4FA8D3F58D42332C953CB2A535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.499{5C0BDE06-1C49-634D-AC00-000000008502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000762974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:37.368{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:37.014{5C0BDE06-1C48-634D-AB00-000000008502}23723512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.752{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3925EC49D802415B325A6F7A25551954,SHA256=70667DFA171ED81E64ABC84393E4DC296CA1102E855213663E66AB4CE687CF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.869{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B547337B46C1D19A7F6DECF927BA7B1E,SHA256=C3DDF199501607E508E379DC578FCB27155A95B7B8ADD5E49BC3CBF3B646A376,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.494{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.478{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:38.378{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.479{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ED2160F6A2EB3D6A51EE6F4B140878E5,SHA256=57789E5D46974C9B1E4D9958F03AEA754D874AA14E92E1142FAE21353732EC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1C4A-634D-AD00-000000008502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C4A-634D-AD00-000000008502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.135{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1C4A-634D-AD00-000000008502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000519802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:38.136{5C0BDE06-1C4A-634D-AD00-000000008502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000519817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:39.917{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9B12167415F5F9AC5F75309598D9E0,SHA256=40B2C9505ECEE54C6203E354CDED8E9C3BC2499D9C8D6D86C2FA0B5FDDF03E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.548{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71344B50402586795983D08372A979BC,SHA256=759E8FE93B6AFD658AEC399DF29A1CA0A733A1D157905880DE17A28E7E15CF21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.524{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.524{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.522{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.522{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.522{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.521{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.521{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.521{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.521{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.520{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000763108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.475{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF5BF0B98F154AAAB75A9A530B08EF6,SHA256=B282C1BA5B711702C5E66026180B1E1A94C07EB0F77E9BFA3B19D4DB4DBAAAE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.409{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.409{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.408{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.407{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.406{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:39.405{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000763185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.702{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1C3ACD792B09210C0B37B704B74F78,SHA256=1C5B118AEE621676FBB9981B85C61008F8759C7E5EBBEF8BC9E8539C0CE63069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.763{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.758{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.755{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.748{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.741{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.737{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.736{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.732{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.729{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.725{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.721{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.719{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.712{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.691{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.687{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.677{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.674{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.640{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.590{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.574{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.563{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.553{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.530{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.510{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.494{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.465{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.448{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.437{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000519818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.432{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000763184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.530{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.420{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.419{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:40.417{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.987{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.979{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.975{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.960{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.951{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.949{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.942{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.939{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.936{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.934{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.896{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.891{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.878{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.873{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.853{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.844{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000763258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.835{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B14B0EACD24B4A2598DAA477ADD90C,SHA256=C9C1C2998FE596C5FC3115E4253B44E00FC7789F77AB76E5DA3767D44E88C40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.830{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88A04611769804CBCD68C03ADB5539A,SHA256=CD5D7F06ED2DBFD042CA8A5B645D422FBABF18D56963ECC4647176AE7328A4D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.830{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.822{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.811{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.802{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.761{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.758{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 354300x8000000000000000519849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:40.026{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:41.108{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29E748C7C0BB153F6C2ECD128A4605E,SHA256=1A617306AB6C4BE0FC2D367B77D678FF7D36F2929ED8F44D170CAFF6108483DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.558{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.418{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000763345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.901{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E720365448C35590253943B48067A64,SHA256=B506107F808ABBDBE92FDC483F73005090DD715F6EE905C057E11B159267C14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.853{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A0C726A8727FADD48711127B88B9C1,SHA256=3FCA9A080965B5C9E948C578E5213DFD66204A39A648638CE30BD9DF3A585B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:42.196{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFD999E5FDAF799D4011553E221EBC6,SHA256=99CB7759D1D479DF710D8976EB13535E1D5B782C09A3B4D29111A712444E335C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.578{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.578{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.577{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.576{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.576{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.576{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.427{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.382{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:42.379{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000519851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:43.304{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32F3723043657F1A5AE420152A79E3,SHA256=596222235E5761C1BB5B8E31367DC8A4726A5070F3E818795E33F9BA95520378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.590{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.589{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.589{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.589{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.589{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.588{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.588{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.588{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.588{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.587{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000763401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:41.324{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000763400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:43.440{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:44.377{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F7F562831F441AC7BBD94681514137,SHA256=D7DCFB1923F7DC9B5925D7D321A4889576B5348446739F89B2E6BB5A3966F632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.935{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.933{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.930{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.929{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.927{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.926{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.924{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.599{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.598{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.598{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.451{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.420{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.419{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000763413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.047{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD26C3426E70F714E875B19923A188B,SHA256=CC178EC171620C24AA09A0E15E2DDF618135D8FA11ED3825834AE6E00242B801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:44.047{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3AD432C0D4BC6DC9F91391556CC7F3,SHA256=F235214909F89E7739C44EDF9BDC14FDF2F3C7B4AF50F7E51ED509B85470A483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:45.570{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58915F8DBAFE54CECC88200A1739E851,SHA256=7C919D7F437EFCFA49B6A576A70159AB94385754A6F0DB511884AC560CD44B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.767{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539D2357D449149CB2F6411663EC6039,SHA256=B04A40C415ACBFC3CD7C9848BA4D6218B4798ABADE64D6AD81101BB0388772CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.612{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.611{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.610{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.610{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.610{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.609{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.609{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.609{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.609{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.608{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.601{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000763561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.601{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000763560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.599{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000763559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.599{A78D3DEB-1AF5-634D-9E00-000000008502}54845612C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012481150) 10341000x8000000000000000763558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.454{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.291{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.290{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.286{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.286{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.285{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.284{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.282{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.265{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.251{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.223{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.216{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.206{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000763491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.205{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEAEF2986C48A06106997AC363A3126,SHA256=C944E7368CD578E1A75CC26E49D3479EAF09B3F12D1ED495819E46D9E9417607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.203{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50CED2D5BFDD6C13838A488AFDF76F4,SHA256=9419CE983CDF4C1CB0C4E0F3C5EB531D31D135840D3A0009A45757BD64D612B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.201{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000763488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:45.199{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000763642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.732{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C08723D221CC4A635E9F465111B919,SHA256=26341FD845F435201DE0AB311D2D63C1C28A6172EE544F803B97B0A5198962D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:46.652{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8ECE68F81817937AAA4989DBFCB8FB,SHA256=C2B86E7217820BE5EA05AC9FB336407EA9C35ACBE1259683CE6412797A701AF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.627{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.482{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000763576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:46.326{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000763575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:46.326{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXEHKU\S-1-5-21-2101601273-3326142395-4157521269-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{923QQ477-5846-686O-N659-0SPPQ73851N8}Binary Data 23542300x8000000000000000763574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:46.311{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B56AD38F40FC601178B349973269B5,SHA256=4D5F54399BA789221D547A81BF0945B9C8DB6C6F76FEF3E76B540B3A5CCC2F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.866{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493CB83B6171E55B82F20B6209BB1A16,SHA256=A1689AC0883DBD1D5E27D9DC69EB65BCFEEBD6DB82F397DB418F75EA59AD0E42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.649{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.648{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.647{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.647{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.647{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.646{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:47.843{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46A3654CA982B66446C218856075338,SHA256=91EF3698422113CD494892706CE8D24A27EBEB6AE3219BF2EF713AC95832F714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.646{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.646{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.646{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.645{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.494{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000763643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.431{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F27A68AB10901BA77108344F2CE9074,SHA256=67E7FBC36B482A46920BA58F019FE49AABC1AC6423DA259381EB574593F8F4F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:45.167{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:48.932{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E619E5924639E732436DBF22F0364F,SHA256=DAF833D5FC23B4B0A47020147CAEC97FE2E40E7214A76CA04A9EFF0691F64921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.991{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31479F7D3AB2ABB2D935A8C6E4C1619,SHA256=1BCFD78D9C5687CB9908716D899ECC1EB41219BF262B708FFC4EF7663E07BB59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.662{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.662{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.661{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.660{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.660{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.660{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.659{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.659{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.659{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.658{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000763765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.534{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4908F1EE6E27D39E0CC75D023693D6DF,SHA256=B885BF94A55CA0863D33D3E4606FDE141EB55D5C9B7B4EBD5C32DF5623A96D80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:48.503{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000763844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.789{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED4024639AB277D909854A0BC1DC30C,SHA256=F993B61F571CF93B78857D5EA1EBCB16541803CE2D37CDAE6E5147CDDA7D0E71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000763843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:47.323{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000763842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.681{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.681{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.681{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.680{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.678{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.678{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.678{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.678{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.677{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.677{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000763832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.537{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D584403F340CB09EA84D18E34D3BC01,SHA256=A932D298D2407478A3130B70E92A758AA537EA710525B25073EFF1CD379269D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:49.510{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000763910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.947{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2579C7D5186E7F3DD61DCB68643CF6CE,SHA256=0C21E6166F7757EDE2864F27BA2A0BA2E0436633D8598F396B81A5496F1CDE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.699{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.699{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.699{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.698{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.697{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.697{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.697{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.697{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.696{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000763900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.551{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5C6BB2F32F71B8B6A4FD48C31B2442,SHA256=2EAE925D98202BDEE613E7D6D3C260A2021872EAC96F9BC402A52BF822EFB2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1C15-634D-0101-000000008502}3480C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:50.519{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:50.010{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8DC91993CF975BA30B85B936409FE8,SHA256=DAEF2DEF75D6A9413520AD119EA0AD7D1C6C7F45BDD2EA1C5B5FBB6D0959F87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000763975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.897{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F3ED45757B1F5A09A0704637B990E6,SHA256=9C94B10A1B36041F643A7AE034A3F9E1A9A0BF8550EE383A579DFA45BEA9E309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:51.092{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16269A8A26E1FDDC48004C615672E25A,SHA256=AB5E794B9BB833FA9945E24CD3F7EE4835D37715EBEB39E141C33CDBED19AA33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.725{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.715{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000763966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.715{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000763965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.553{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA79B5C390EA06CD39CE6E4EB2AA9C20,SHA256=7AA6D7DCDDE71C0C444F3829FBF4D2C4BA1C5036C717AB906D353C57FC4E854E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000763964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:51.522{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.742{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.742{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.742{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.737{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.737{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.737{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.736{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.736{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.736{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000519861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:51.155{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:52.179{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381C10FCA76FA086E89E1B89716A9CEB,SHA256=39F6CA6F367F214ED795691C8FCA6E16CC06190DCA2382AF8AE76BC72CEF801D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:52.534{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000763985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000763984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00076c25) 13241300x8000000000000000763983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e200-0x1d0e39d1) 13241300x8000000000000000763982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e208-0x7ed2a1d1) 13241300x8000000000000000763981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e210-0xe09709d1) 13241300x8000000000000000763980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000763979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00076c25) 13241300x8000000000000000763978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e200-0x1cf89cdb) 13241300x8000000000000000763977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e208-0x7ebd04db) 13241300x8000000000000000763976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:11:52.519{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e210-0xe0816cdb) 23542300x8000000000000000764114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.790{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FBF9F57C2FE192ECE48FCFD0E4F2BA,SHA256=05D345236C53A134A5F209967A62AAF00D9B14940685AC9E15F3411AEF18C972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.846{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.846{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.796{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9754B177F8A196E916E0F0B237DEDD,SHA256=D7217A9D30794EB6FB22001F5D026042239E6ACBF93D268E03742558CF772262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.698{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978AC0C981E8CCE09C10E4C03DCAE62F,SHA256=8645DFAC5A5971FAD879FA7EE5BDF895DACCF437F59948C655C4CAE2A3FAEAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.683{5C0BDE06-1A79-634D-1500-000000008502}1036NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.667{5C0BDE06-1A77-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.748{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000764104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.635{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA6D686027C489B550D15F8A9235ACA,SHA256=9D585B227763C0F5412F4DFB4EE417E0A94651299B9AD1D2AF78FB31FEC331F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.541{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.029{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2760ABC5EC45800D41DEBA8FA34B8C,SHA256=24B2795C971CF50720675EFBD2774EBCD15845103B7432328A814623502168D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.651{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.636{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.503{5C0BDE06-1C59-634D-B400-000000008502}23562868C:\Windows\system32\conhost.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1C59-634D-B300-000000008502}36241556C:\Windows\system32\conhost.exe{5C0BDE06-1C59-634D-B000-000000008502}2772C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.486{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-B400-000000008502}2356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.470{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.454{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-B300-000000008502}3624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.454{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.454{5C0BDE06-1A79-634D-1500-000000008502}10361736C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-B100-000000008502}544C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A79-634D-1500-000000008502}10361132C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-B100-000000008502}544C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A79-634D-1500-000000008502}10362504C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AF00-000000008502}172C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-B000-000000008502}2772C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A79-634D-1500-000000008502}10362532C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-B000-000000008502}2772C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1C59-634D-AE00-000000008502}2028C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A79-634D-1500-000000008502}10362716C:\Windows\system32\svchost.exe{5C0BDE06-1C59-634D-AE00-000000008502}2028C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.439{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.373{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BFE421DCDAEBF3FBA6798FF90A0E33,SHA256=6DB0003893E0B4ABE9B94CA63B4AD868B5B45C2E574F115B03ABB15B16092549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2BBF64BC95B8B5F2454522F44E71D851,SHA256=E24D59BEC0FA21B01EF0B459AE27FFD956DC793047424A9BCA87A7EA2C742B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.954{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF747E1B9EAE882F5A30B95872ABD33,SHA256=1C4F822A08D05D58200980C5FCBA4E794B610CFA88C7B44044D4D13A9E1FA892,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000764180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.770{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58001- 354300x8000000000000000764179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:53.309{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000764178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.798{A78D3DEB-1A89-634D-2A00-000000008502}2616NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C7591F2FA28D8789B78880251EDC004,SHA256=BAA6C975C2C2751E3C11F08A0AEF70D4FC00FBFB82B0847891326E6393D4FE58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000519966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.972{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=47F9D12046E124B7FFB2CBD77CFB997B,SHA256=6A1249AC2C133CBA65F55AC599B1C329BD9811424A4AEFD5F6F35B0470668938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.874{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.874{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.872{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000519962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.872{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 23542300x8000000000000000519961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.644{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1D3845A3850FDBE33D4F54F9B02A06,SHA256=1960D292823D8C5F44F219FDFE7443EEFB601D17944016E2630EE0D7128EBBA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.771{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:54.553{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.549{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DFF71BAF009191779A17775AC10CB31,SHA256=885435422EF5175941B1E3C24892AC4D1CE96308E32FB322DB70A0FF69184EE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.150{5C0BDE06-1A79-634D-1600-000000008502}12201616C:\Windows\System32\svchost.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:54.072{5C0BDE06-1A79-634D-1600-000000008502}12201616C:\Windows\System32\svchost.exe{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:55.920{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEB954A519FB2A99964EE1BE6D896AF,SHA256=F0DDB1CAB5913CDFB790F9D0520401EDF55714C99BA83970187B1349296C7B25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.796{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.796{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.796{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.796{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.795{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.795{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.795{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.794{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.557{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000519969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:56.995{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985F68B842658CA1F3E62911FD374836,SHA256=80C4DA1F1CE9501D50636471884DE461139F4571DECCE93F34BAE7F67A79F68D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000519968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:53.942{5C0BDE06-1C59-634D-B200-000000008502}524C:\Windows\System32\SIHClient.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49791-false52.152.110.14-443https 10341000x8000000000000000764332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.812{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.656{A78D3DEB-1A7B-634D-0D00-000000008502}9085012C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.562{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.081{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296B4E8AF8B275D7E09A2092CE83A112,SHA256=FCC52CD3859D8BF9989C68993EA364567C4312CEC5F7F47B66F075CFC19D30D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.066{A78D3DEB-1A7C-634D-1100-000000008502}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF5B1A85B7A51CB7408802F1D27A5A8F,SHA256=6C21F375253131268468531C8D9DED6BA1778F05C90BB218FDA8BDA255949F0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:55.797{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000764398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:56.634{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56143- 10341000x8000000000000000764397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.824{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.574{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.215{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1080DBC40B53A703BDEC27605B574DA4,SHA256=2FC277892B2905DE4DE8D19097B75CAF566948F77E99069735CDF979DEAAA15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:57.215{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DB87268FC9CC431A74F6A77C0C1050,SHA256=CC7EF34A7EC4C172566313348DE073A3836CC8A57905BC6647D697B97DA576CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000519970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:58.096{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97CA0CE8F745BB183FC8EAAD9FF40E6,SHA256=93FC7126326E80B10336ABCDCBB25901C1CED9FFB0CF55632B5EF324EFECD845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.841{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.576{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.357{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804EA8E7AF65290BC1BA4ED20D4C40BC,SHA256=50C76B17FD9B51E2392194D54BA5AC2E8088345AE6E07A3DA76062F0DF7E6D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.357{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159780D7B3FD41FFE1CDAC366E5BB411,SHA256=54992E644B0FE078B912FBBC3095310D55996ADEE7DAA017824AF95A962ADC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.958{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09999012958F50A234FA99F907855C1E,SHA256=9AA706FF51595EFBACFF7FBF961B66422D258288E608F2D046EA07D68D4DB4A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000519973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:59.880{5C0BDE06-1A78-634D-0D00-000000008502}8043960C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000519972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:57.151{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000519971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:11:59.400{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFEB6D79DA8301BC9FA6DE2572A2CFC,SHA256=F6AAD9E4235F72A97DFEADB00A9DE8D7D90B3D818631CCCE1F02833046B79754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.865{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.583{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.458{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9F130471B914FC09515A577C1DCBC6,SHA256=438C80AE651E0E8120BFFB78B9587B72A4A0D6349EC91A5A9AD02F4656A93851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:58.997{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B9D18F3D1A95B90319D0E2C2E800AC,SHA256=FA456DC30F0D8FE785B409551D70E769651A308DC2219E8A04FE7EEC11CB9413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.940{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3632B7418F83C8D99076C35D7FCEE1BC,SHA256=C787F40FD4F6CB337406E27AF3BA9A97112DFAA2EDDE8CF704BC5A23FA0B27C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000764594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:11:59.342{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000764593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000520004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.685{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1AF4-634D-7B00-000000008502}2912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000520003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.683{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A8D-634D-6D00-000000008502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000520002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.680{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000520001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.676{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000520000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.675{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.673{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.672{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.668{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.667{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.665{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.658{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.656{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.652{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.641{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.636{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.627{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.623{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.606{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.569{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.558{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.547{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.538{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.525{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.511{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.497{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 23542300x8000000000000000519979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.494{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA14DED79B230DC0159FEBFB37D48B7,SHA256=E052D3C3D1AC44FA05140701D1269E85B85FCD666199CE037E893A57322067ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000519978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.485{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.463{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.445{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.432{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000519974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:00.428{5C0BDE06-1A79-634D-1E00-000000008502}19402880C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C610) 10341000x8000000000000000764589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.877{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.596{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:00.565{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659CD6F2F0624C21B7C064C96E64DA34,SHA256=BD2DA41A06DA019EEEBADAAA0E7137FB09B59CDB6F6BF5765B514AB2136FCB76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.987{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.984{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.977{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.974{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.972{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.970{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.914{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.909{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.901{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.900{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.900{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.900{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.900{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.899{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.899{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.899{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.898{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.895{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.886{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.878{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.864{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000520005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:01.657{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10072030DF814C17F7240D6874CCF1E,SHA256=1EAD1830D62F0285295F564EF998779D658DCA55C9566A726FEFF8E33DE1D182,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.857{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.845{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.836{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.822{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.814{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.767{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.748{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000764650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.668{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B72105F43BA2A4DC84C9AE7E014D20,SHA256=D176A5A69364CD5C8467A8BCCE8B5C4D3D81D327AC87C3790528EB0986060E3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:01.621{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000520006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:02.862{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900E08D2E513ED8FA9A746103D071246,SHA256=F8DF4DB5AB5ABD65976A67F460EE52747347810D5961C0F25E3C2243D792A91F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.915{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.513{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.511{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000764684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.063{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD3043DDFC4741829D28E04218BF406,SHA256=3070BB9F655BAEAAB79E3968FA7AC7B26E49AE22123BDE3D24A436256ED8318A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.023{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.020{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.015{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.011{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:02.004{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.939{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.634{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.113{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BD16E61B0CD48937834BE4F24DE412,SHA256=37CA22330C7606F86402B86E954C46ECFAB6B5B31BB8FF2D23DD3CE8C17D9C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:03.096{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7260365AF7EF6FD3DAF9C86A3FFF533,SHA256=95EB0D1FE18906F53EDDC77A3AF55F5B46C575B15D05C048088B889283CDA953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000520007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:03.665{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.973{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F89F9B78923926398989C53E6969A5,SHA256=A4CDB2BFD585C6668FD658D0DAC647DA166322017D286C5A49209274F0A93BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.957{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000520008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:04.055{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE9FAFA7E5914D32D9BB151CA710296,SHA256=F536B5FBC73BEF9936B68233D9D86F63C5B9AD30F40E75F165EC323C05AF1962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.770{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002AE5C6F700F978821327FBFB07153B,SHA256=B6B703FED9377E500DC46184706E042B6BADDE683D383AD7529040A41B5B0E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.629{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.541{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.540{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000764819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.220{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3B5F6C786D8D880BC3717AD2D0457A,SHA256=58B6569B294615D841EA5EA12F6D10B5B4B3EAB2F120F09A8722D79CCBA18430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.155{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.155{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.155{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.142{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000764961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.970{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000520010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:03.128{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000520009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:05.235{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B528ACDDE75DB7BC62F9848AAB2F7888,SHA256=9D9CF2EAFC256EAE65CC6660E610E404C24669DCF754A296DEBAF9A56DBEA3E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000764960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.642{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.177{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.169{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.168{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.168{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.167{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.163{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.149{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.138{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.102{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.090{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.079{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.072{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.070{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.067{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.064{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.061{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.060{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.057{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.056{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 10341000x8000000000000000764887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:05.053{A78D3DEB-1AF5-634D-9E00-000000008502}54845704C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D54E190) 23542300x8000000000000000520012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:06.777{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\respondent-20221017090356-007MD5=75B25DC729C19E88528C82668494583A,SHA256=ABB595BDF77E2788F2F972811CAEECA924DDF1180379487ABCCADDFB4B859A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000520011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:06.435{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42545B1A3B9D5BD7E3FEFFA8510E90B,SHA256=CECF54351BBA57F10DBF2798BDBE21B66C5EB39FC75CEC35D1F2B8DA948E0EE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.654{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000764972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.095{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBE9189E2B81FB97D7626A44882960E,SHA256=FFBD1238075074EA81B2745607180E7BB34A191DC282483D4FE3D778C66F231F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000764971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.080{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB19FACA8F79279A4752EEAFBD39E0D,SHA256=A8E98F020B2A0450C5346E765E2746DF0EDCDE8F70CDDF702B060391438C21FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000764970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:04.440{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-801.attackrange.local57835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000520014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:07.776{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-008MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000520013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:07.516{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860B1C93AD247EA6069878EAE2FE939C,SHA256=9C9469D85AE420DF2E48BB347A99D9A616034A5E509964C82787E584779DF6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000765092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.814{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C6BA5462B6FE3C5FEE4F8A297CB6C7,SHA256=21040DD2AD59F4E45E74EC07E857E92CEBFA6E643BFD5B213ECC1400603019FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.658{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000765037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.197{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BBC300203F578E1F217A3D204D5115,SHA256=EFB6FED3BE5D9199DC4A61CDEA938AEC5D0A52EFE6ED6302434E060D298D0238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000765036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:07.197{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC56FB2980EA39E7316393F8E1F4F668,SHA256=9225AB3A104BD77309FE7E3AEA8B04072A9001A177F9B3D11D2C96C6BFB8A435,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:06.998{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000520016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:08.679{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7709412400645982ADE08F1B956EC957,SHA256=A23E6EF3B2714AC93B6875519FC7D50347E835542FF825EC22534556C24AA3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000520015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:08.592{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A205BB7EC600B73E253FA6190E7688,SHA256=7DF5A7B25F153F6538C6304C59F590DB22EAFC1547EDF6CEE58D1582F0733C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000765157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.791{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD85CFCF35A3B65D02C4B4B9B1109200,SHA256=338C4A408986E9316F611A92381D00CD29D7DDDC3016A2359698E008045F0ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.666{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000765102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.080{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C097B01F5232F672C15948AD2D4BDF,SHA256=64CB6E36C4E3AD78F9AAFE27940EC0B13430289EC5BD46A88C2218F80265B124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:08.017{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000520017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:09.780{5C0BDE06-1A8D-634D-6D00-000000008502}3752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7C820B23EA1ED205D87E239851AD92,SHA256=F517AB58E0980018067544E7ADCC40B41BFEE2DBED8FB6DA0570E386CAA0AD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000765222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.751{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380082394D5BF42EBC760AF99FB28EC4,SHA256=16E4D7B0C40A5442254A519AAF30E764D83B5456B99B6EEFAC34FD5AF6426280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.673{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000765167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.073{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19610CCEFA51AB09110A4C09B363975A,SHA256=AAD850A36601D1EF33020F6B658E81AF35C1E306D627C9741456C51CFDE7C043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:09.041{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000765287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.740{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1880D8858DD177D30DF57269D5ECD6,SHA256=D97B8575B4DDB048EE398002BD6A04A3455051A83AC3A6FB158E547011DDC944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000765286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1BD6-634D-F500-000000008502}2228C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1B03-634D-AF00-000000008502}5016C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AF5-634D-9E00-000000008502}5484C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000520018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:12:08.205{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000765279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8C00-000000008502}2844C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8A00-000000008502}2352C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1AE6-634D-8900-000000008502}1980C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A9D-634D-7B00-000000008502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A96-634D-7100-000000008502}2320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8C-634D-4A00-000000008502}3820C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4500-000000008502}3608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8B-634D-4400-000000008502}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3800-000000008502}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6d0|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.677{A78D3DEB-1BC0-634D-ED00-000000008502}44605496C:\Windows\system32\taskmgr.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+3a6f4|C:\Windows\system32\taskmgr.exe+51c71|C:\Windows\system32\taskmgr.exe+14fc5|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1BC0-634D-ED00-000000008502}4460C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E800-000000008502}436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B9E-634D-E700-000000008502}5804C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1B58-634D-DD00-000000008502}364C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEB-634D-9C00-000000008502}2856C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AEA-634D-9B00-000000008502}2248C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE9-634D-9A00-000000008502}4876C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-9200-000000008502}4392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000765224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1BD6-634D-F500-000000008502}22284144C:\Windows\SysWOW64\explorer.exe{A78D3DEB-1AE8-634D-8F00-000000008502}4316C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000004CBC22)|UNKNOWN(00000000004CF67F)|UNKNOWN(00000000004CBD2E)|UNKNOWN(00000000004CF6E1)|UNKNOWN(00000000004C5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000765223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:12:10.064{A78D3DEB-1A9D-634D-7B00-000000008502}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FAC9AB99BF15152E8D7D5FE6C496B0,SHA256=E31F0C51743F9684CE431C2A5F407BA380D24473E1AFF3F349D627DFF3B29005,IMPHASH=00000000000000000000000000000000falsetrue